lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Jan 2016 10:43:21 +0100
From: Simon Josefsson <simon@...efsson.org>
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
Cc: "discussions\@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: Attack on Argon2i?

Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com> writes:

> Appendix A claims a memory reduction on Argon2i:
> http://eprint.iacr.org/2016/027
>
> Not clear to me what's the actual efficiency of the improved attack though.

It says:

   it is possible to compute the single-pass variant of the Argon2i
   password hashing function [...] using between a quarter and a fifth
   of the desired space with no computational penalty.

The attack appears to require a pre-computation phase to pre-compute the
time after which some blocks will not be needed any more, so they can be
discarded during the computational phase, thus saving memory.

So overall the computation appears is larger, and I'm not sure in which
attack scenario this approach would actually be useful.

/Simon

Download attachment "signature.asc" of type "application/pgp-signature" (473 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ