lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 19:22:41 +0000
From: Gregory Maxwell <gmaxwell@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] "Attack on the iterative compression function"

On Fri, Apr 17, 2015 at 5:05 PM, Bill Cox <waywardgeek@...il.com> wrote:
> The Argon team does great work, but they continually warp there conclusions
> to favor their incorrect world-view that the original Argon algorithm is
> better than all the rest.  They use outlandish definitions for common things
> like "time*memory" defense, and wafer-sized ASICs holding zero latency
> multi-gigabyte nearly-zero power cache RAM.

I'm appreciative of their approach, as it strikes me as more
conservative generally.

When I asked previously the PHC list failed to present strong
arguments on how much of the presumed hardness of 'memory hard'
functions are fundamental. I have not seen strong evidence that anyone
has a firm grasp on what the impact of future memory technologies and
silicon topologies (e.g. what effect does through silicon vias and 3d
parts have on your latency assumptions) will do this this problem, or
a good handle on how "operating cost" vs amortizable construction
costs, should be handled.  In that light, it can be useful to analyze
thing where more debatable costs are set in the attacker's favor.

Powered by blists - more mailing lists