| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOLP8p6Qw9KpKPnpzz1a8Jh93ORjGSPTM=fUohur+XV=owhFuw@mail.gmail.com>
Date: Fri, 17 Apr 2015 10:05:47 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] "Attack on the iterative compression function"
On Tue, Apr 14, 2015 at 3:29 PM, Solar Designer <solar@...nwall.com> wrote:
> This is another great contribution by the Argon team, which I think
> hasn't received its due attention in here yet.
>
> Please see the Argon2 paper, page 13 (in current revision).
>
The Argon team does great work, but they continually warp there conclusions
to favor their incorrect world-view that the original Argon algorithm is
better than all the rest. They use outlandish definitions for common
things like "time*memory" defense, and wafer-sized ASICs holding zero
latency multi-gigabyte nearly-zero power cache RAM.
Other than that, this paper is a great analysis...
Here's the outrageous claim they make against Yescrypt:
for 1/4 memory, Yescrypt has a 1/2 "Time-memory product"
In their previous table, they say that at a 1/4 memory attack, the attacker
must do 1135 times more computation. The time*memory defense as used by
the whole world other than the Argon team is therefore 283.75. This paper
is off by a factor of 567.5!
I do not consider this a weakness of Yescrypt. I wish the Argon team would
start using proper terminology.
Bill
Content of type "text/html" skipped
Powered by blists - more mailing lists