lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Apr 2015 10:24:10 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Competition process

Dear PHC Committee,

we would like to share our concerns on the ongoing competition.

There could be two different types of a competition for/selection of a
new standard:
1) The submissions are largely unchanged during the competition time,
so that confidence arises from the amount of third-party analysis
accumulated over the period and the absence of attacks/flaws. To
narrow the analysis scope and make the best use of limited human
resources, the broken candidates are eliminated once and forever.

2) The submissions evolve over the competition period significantly,
absorbing new ideas and constructions from the discussion, possibly
even merging with each other. The confidence in the winner(s) comes
from the consensus in the committee on certain features that are
gradually integrated in the final version.

Each approach has its own benefits, but you can not have both and
still be fair to the candidates. What has happened so far:

Like in the first type of a competitions:
a) Quite many candidates did not make it to the final round.
b) Some designs that accumulated new ideas from the competition have not
been allowed into the next round (Argon2). This is particularly strange
since the tweaked Catena v3 (which is in the final) took one of
its features from Argon2i (which is not).

Like in the second type of a competition:
a) Major tweaks to some original submissions were allowed. One could
compare the original and the current Catena v3, Lyra2 v3.
b) Some submissions with violated security claims were allowed into
the next round. This discourages new cryptanalysis efforts. For example
if we have new cryptanalysis results  we don't know whether to announce
 them now, and then submissions would be just tweaked or whether to
announce them after selection of the candidates.

The second approach (allowing learning from each other and major tweaks)
might be beneficial due to a relatively small size of the community behind PHC
and due to state of the art being immature yet (the competition process clearly
 gave it a large boost), but then it needs to be applied to all the candidates.
In particular, given the state of other finalists, we believe that it
would be fair to keep Argon2i and Argon2d in the competition.
-- 
Best regards,
Alex Biryukov
Dmitry Khovratovich,
the Argon team.

Powered by blists - more mailing lists