[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 21:03:24 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Argon2
On Tue, May 5, 2015 at 8:36 PM, Marcos Simplicio <mjunior@...c.usp.br> wrote:
> 1) For legitimate users, part of the PHS's computation time would be
> wasted calculating the indices to be visited, while attackers could do
> so only once and reuse the pre-computed indices in many threads,
> diluting the corresponding costs. To avoid giving more advantage to
> attackers than to legitimate users, the computation of indices should be
> as lightweight as possible (which is a goal in Catena and also in
> Lyra2's first pass).
In Argon2i the indices are produced in groups. 256 indices cost as
much as filling 2 memory blocks.
Therefore, the overhead is less than 1%.
>
> 2) Some salts/parameters will end up leading to weaker visitation
> patterns than others. This is unlikely to be critical in the long run,
> but that would be similar to having "weak keys" in cryptographic
> algorithms. So, if those are avoidable, it would probably be better.
In Argon2i indices depend on the block number only, not on the salt.
>
> My two cents, at least.
>
> Marcos.
--
Best regards,
Dmitry Khovratovich
Powered by blists - more mailing lists