lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 Sep 2015 21:19:15 -0700
From: Andrew Ekstedt <andrew.ekstedt@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Comments on Argon2 v1.2.1

On Wed, Sep 2, 2015 at 7:12 AM, Dmitry Khovratovich
<khovratovich@...il.com> wrote:
> We have corrected the specification (page 5) and updated the test vectors on
> github.

Thanks Dmitry.

The updated specification does not correctly describe blake2b_long.
Going by the reference implementation, V_m+1 should be defined by
V_m+1 =  H_min(τ, 33+(τ-1 mod 32))(V_m), and is never absent. (m is
then m = max(0, ⌊(τ-33)/32⌋))

I would prefer a return to the originally specified output function
(iterate a 64-byte hash, appending 32 bytes to the output until τ is
reached), which is easier both to describe and implement. The only
advantage i can see of the new version is that it performs one fewer
iteration of H, but the cost of H is surely dwarfed by the overall
Argon2 computation. I don't believe it is worth the additional
complexity.

Andrew Ekstedt

Powered by blists - more mailing lists