Date: Sat, 11 Apr 2015 07:13:12 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Allowing Agon2 and Catena2?

On Thu, Apr 02, 2015 at 08:30:07AM -0700, Bill Cox wrote:
> Do we want to continue benchmarking Argon2d and Argon2i?  It is useful for
> reference, but we're putting work into analyzing Argon2 that should go
> elsewhere if there is no chance Argon2 can be selected.

Like you say, it's useful for reference, and we may be learning new
things from discussions around Argon2 - e.g., it prompted us to converge
to a narrower range of multiply vs. add latency estimates.

> I find Argon2 to
> be good work compared to Argon, and generally I don't care much for rules
> when they hurt the world, so my preference is to drop Argon, and allow
> Argon2 to go forward.  Is this possible?

JP replied about Argon2.  Unfortunately, no.

"Luckily," it has that excessive parallelism issue, which would have
prevented me from supporting Argon2 as a winner anyway.  Of course,
others on the panel could have felt differently.  But anyway, the panel
decided not to accept Argon2 for the reasons JP cited.

> The same goes for the new Catena version, and I'd also like to allow them
> to add any H hash function they need to, including the reduced Blake2b
> single-round hash.

As far as I can tell, this is already in PHC.

> I think the world would be better off with Argon2i and
> Catena2 duking it out for the cache-timing-resistant category, and Lyra2,
> Yescrypt, and Argon2d duking it out for the Scrypt upgrade category.

I agree.  And POMELO is also a competitor in the latter category, for
those who want simpler and self-contained.

Alexander

Powered by blists - more mailing lists