lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALW8-7JsqPHKaVnxz+BoYVXWWZOFHADtmt-2MWdvALg=wXm+bg@mail.gmail.com> Date: Tue, 14 Apr 2015 10:24:10 +0200 From: Dmitry Khovratovich <khovratovich@...il.com> To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: Competition process Dear PHC Committee, we would like to share our concerns on the ongoing competition. There could be two different types of a competition for/selection of a new standard: 1) The submissions are largely unchanged during the competition time, so that confidence arises from the amount of third-party analysis accumulated over the period and the absence of attacks/flaws. To narrow the analysis scope and make the best use of limited human resources, the broken candidates are eliminated once and forever. 2) The submissions evolve over the competition period significantly, absorbing new ideas and constructions from the discussion, possibly even merging with each other. The confidence in the winner(s) comes from the consensus in the committee on certain features that are gradually integrated in the final version. Each approach has its own benefits, but you can not have both and still be fair to the candidates. What has happened so far: Like in the first type of a competitions: a) Quite many candidates did not make it to the final round. b) Some designs that accumulated new ideas from the competition have not been allowed into the next round (Argon2). This is particularly strange since the tweaked Catena v3 (which is in the final) took one of its features from Argon2i (which is not). Like in the second type of a competition: a) Major tweaks to some original submissions were allowed. One could compare the original and the current Catena v3, Lyra2 v3. b) Some submissions with violated security claims were allowed into the next round. This discourages new cryptanalysis efforts. For example if we have new cryptanalysis results we don't know whether to announce them now, and then submissions would be just tweaked or whether to announce them after selection of the candidates. The second approach (allowing learning from each other and major tweaks) might be beneficial due to a relatively small size of the community behind PHC and due to state of the art being immature yet (the competition process clearly gave it a large boost), but then it needs to be applied to all the candidates. In particular, given the state of other finalists, we believe that it would be fair to keep Argon2i and Argon2d in the competition. -- Best regards, Alex Biryukov Dmitry Khovratovich, the Argon team.
Powered by blists - more mailing lists