[cryptography] Mixing multiple password hashing: Crypto Blasphemy or Useful approach?

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Mon Mar 16 03:31:57 EDT 2015

On 3/16/15 1:58 AM, grarpamp wrote:
> Is this not the old chained crypto argument? 
Well, no, the old chained crypto argument try to argue that "if a crypto
A is broken, then crypto B will save the cryptosystem" .

Instead i'm specifically brainstorming (but i maybe perfectly wrong!)
w.t.r. providing "better resiliency against massive parallelization
trough specifically designer hardware such as ASIC/FPGA" .

Let me better elaborate:

The logical assumption for the adversary is to be interested to build a
"SHA1 cracking super computer"  because PKDF2-SHA1 is very diffused.

So i'd assume that the adversary is going to build up "cracking super
computer" with ASIC/FPGA that focus on specific algorithms that are
widely diffused, investing a shit load of money in cryptanalytic
research trying to optimize the cracking.

The assumptions i'm testing in this email are that if the adversary will
build the same "cracking super computer" for a less diffused algorithm:
- it will be a "smaller cracking super computer" because of the smaller
user-base using the less diffused algorithm
- it will be "less optimized" because he will have invested less money
in optimizing the cracking process trough cryptanalytic research.

IF that assumptions are true, leveraging multiple cryptographic
primitives, would wave the adversary from the ability in trying to crack
my stuff on "super powerful" and "super optimized"
crypto-cracking-cluster, requiring him to work over multiple "less
powerful" and "less optimized" cracking machine.

On an IRC discussion i've been told that security strength of key
stretching improve logarithmically, so between 500.000 PKDF2 and
1.000.000 PKDF2 iterations, there's not such a big improvement.

If the adversary build a PKDF2-optimized cracking machine (because PKDF2
is widely diffused), i expect it will be better for him to attack a
1.000.000 PKDF2 iterations, rather than (for example):
* 500.000 PKDF2
* 100.000 Whirpool
* 100.000 Blake2
* 100.000 Keccak
* 100.000 SHA512
* 100.000 HKDF

Because, from the assumption discussed above (maybe wrong eh, i'm
testing it!), the adversary, with the regards to all those others 5 crypto:
- Does not yet own a super-powerful cracking machine (or the cracking
machine are small in size/power)
- The level of cracking optimization are not that big

However the amount of "computational power" required on a general
purpose computer maybe "more or less the same" .

So the basic question, following those explanation, should be:

"Given that a cryptosystem is strong/good enough, by "adding" additional
computation trough multiple cryptographic primitives, it's reasoable to
affirm that this approach is going to put more difficulties on the
adversary given his inability to build a
single-hardware-highly-optimized ASIC/FPGA cracking cluster, compared to
the same amount of "additional computation" by using a single
cryptographic primitive?"

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi

More information about the cryptography mailing list