lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 17:20:10 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] winner selection

On Mon, Apr 13, 2015 at 8:11 AM, Solar Designer <> wrote:

> ---
> Argon - a non-winner: too TMTO-obsessed and thus slow, likely at the
> expense of security against actual attacks.  (As a side note, this is
> something that has been addressed in Argon2, although there's another
> issue in Argon2: currently excessive parallelism.)

I agree Argon2 is a vast improvement.  It still has too much parallelism,
but that can be fixed.  I also agree, the original Argon is not competitive.

> battcrypt - likely winner.  battcrypt wins over Pufferfish at sizes
> over a few MB, per Milan's benchmarks.

I would prefer that we have only 1 memory-hard winner, but that it have a
low-complexity compatible version.  One benefit of bcrypt is how easy it is
to implement, though doing it really well is hard!

For this reason only, I would drop both Pufferfish and Battcrypt as
winners.  However, if we don't get a _very_ simple version of the
memory-hard winner, then maybe also choose Battcrypt?

> Catena - likely winner, especially its Catena-Dragonfly flavor, which is
> actually fast (unlike other 3 default instantiations of Catena).
> Do we have the option of choosing Catena-Dragonfly?  I would hope so, but
I also would like Argon2 to be in the running.

We might need a cache-timing resistant winner, but not if that means we
can't have a traditional memory-hard winner, IMO.  If we can afford both,
I'd choose Catena-Dragonfly from what I'm hearing (I have not reviewed it's
code or benchmarked it).

> Lyra2, POMELO, or/and yescrypt - select one or several of these as
> winner(s).

I am thrilled to hear that POMELO has reached decent speeds.  Does it have
a multi-threaded version?  The crypto-guys will have to decide if it's
primitives are strong enough - they look like a good enough mix of ARX to
me, but I'm not qualified to make a call on it's security.

> Makwa - likely select as a winner, but may need more pairs of eyes
> first, who would confirm they have actually reviewed Makwa.  I think
> Steve did?  Anyone else?  I didn't review it, and I think we have panel
> members who are more qualified to review it.  Makwa is a likely winner
> because it provides a unique feature with specific use cases for it,
> it looks good at first glance (but indeed that's not a proper review),
> and it comes from a particularly careful submitter.

I spent many hours going over it - partly because I had to read up on the
theory behind it.  Makwa's security proofs are sound.  I firmly believe it
is as secure as integer factorization - of which I do remain skeptical :-)
 It's knapsack construction is also sound, unlike other crypto systems
built on this problem.  It's squaring of Blum integers is as secure as
integer factorization so long as we can trust that the factors are not
leaked (a significant weakness of Makwa).

I think Makwa deserves to either be an outright "winner" or a "recommended
solution" of some sort, so long as a fast memory-hard winner is also
selected.  Without a memory-hard component, I do not believe it competes
well in the general password hashing area.


Content of type "text/html" skipped

Powered by blists - more mailing lists