lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20150411041312.GA15128@openwall.com>
Date: Sat, 11 Apr 2015 07:13:12 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Allowing Agon2 and Catena2?

On Thu, Apr 02, 2015 at 08:30:07AM -0700, Bill Cox wrote:
> Do we want to continue benchmarking Argon2d and Argon2i?  It is useful for
> reference, but we're putting work into analyzing Argon2 that should go
> elsewhere if there is no chance Argon2 can be selected.

Like you say, it's useful for reference, and we may be learning new
things from discussions around Argon2 - e.g., it prompted us to converge
to a narrower range of multiply vs. add latency estimates.

> I find Argon2 to
> be good work compared to Argon, and generally I don't care much for rules
> when they hurt the world, so my preference is to drop Argon, and allow
> Argon2 to go forward.  Is this possible?

JP replied about Argon2.  Unfortunately, no.

"Luckily," it has that excessive parallelism issue, which would have
prevented me from supporting Argon2 as a winner anyway.  Of course,
others on the panel could have felt differently.  But anyway, the panel
decided not to accept Argon2 for the reasons JP cited.

> The same goes for the new Catena version, and I'd also like to allow them
> to add any H hash function they need to, including the reduced Blake2b
> single-round hash.

As far as I can tell, this is already in PHC.

> I think the world would be better off with Argon2i and
> Catena2 duking it out for the cache-timing-resistant category, and Lyra2,
> Yescrypt, and Argon2d duking it out for the Scrypt upgrade category.

I agree.  And POMELO is also a competitor in the latter category, for
those who want simpler and self-contained.

Alexander

Powered by blists - more mailing lists