lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 10:05:47 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] "Attack on the iterative compression function"

On Tue, Apr 14, 2015 at 3:29 PM, Solar Designer <> wrote:

> This is another great contribution by the Argon team, which I think
> hasn't received its due attention in here yet.
> Please see the Argon2 paper, page 13 (in current revision).

The Argon team does great work, but they continually warp there conclusions
to favor their incorrect world-view that the original Argon algorithm is
better than all the rest.  They use outlandish definitions for common
things like "time*memory" defense, and wafer-sized ASICs holding zero
latency multi-gigabyte nearly-zero power cache RAM.

Other than that, this paper is a great analysis...

Here's the outrageous claim they make against Yescrypt:

  for 1/4 memory, Yescrypt has a 1/2 "Time-memory product"

In their previous table, they say that at a 1/4 memory attack, the attacker
must do 1135 times more computation.  The time*memory defense as used by
the whole world other than the Argon team is therefore 283.75.  This paper
is off by a factor of 567.5!

I do not consider this a weakness of Yescrypt.  I wish the Argon team would
start using proper terminology.


Content of type "text/html" skipped

Powered by blists - more mailing lists