Date: Wed, 24 Jun 2015 08:00:53 +0000
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Anonymous comments about Argon2 and Catena

This is to share comments from a PHC submitter, who wishes to remain
anonymous:

------------------------

Choosing between Argon2i and Catena is obvious to me, although I do not
like that category.  Argon2i is better than Catena: it seems that Catena
uses two versions for processing small and large memories, strange design.
In addition, Argon team taught Catena team how to analyze and improve the
security of Catena.

Including Argon2 in the competition is good for a fair competition;
otherwise Catena can win in that category without meaningful competition
since its competitor RIG was kicked out already.

It has been mentioned repeatedly that password information is leaked
through side channel, but no experiment has been performed to measure how
many hashes are needed to leak one bit password information in those
candidates. A password may not get hashed many times in practice (KDF is
different).  I checked a cache-timing attack on AES, the number of
samples is quite large in order to remove the measurement noise ( 17,720
samples according to the paper
https://cseweb.ucsd.edu/~kmowery/papers/aes-cache-timing.pdf  ) The number
of samples may be reduced for password hashing due to the larger state size
and longer processing time.  Anyway, experiments are necessary if we want
to know/claim how important the side-channel attack is for this competition.

------------------------

Content of type "text/html" skipped

Powered by blists - more mailing lists