lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAS2fgRP2xTg+RcFLVEoXoAo5OJtETt-iu9gVD4kWNWnZUvCPw@mail.gmail.com> Date: Fri, 17 Apr 2015 19:22:41 +0000 From: Gregory Maxwell <gmaxwell@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] "Attack on the iterative compression function" On Fri, Apr 17, 2015 at 5:05 PM, Bill Cox <waywardgeek@...il.com> wrote: > The Argon team does great work, but they continually warp there conclusions > to favor their incorrect world-view that the original Argon algorithm is > better than all the rest. They use outlandish definitions for common things > like "time*memory" defense, and wafer-sized ASICs holding zero latency > multi-gigabyte nearly-zero power cache RAM. I'm appreciative of their approach, as it strikes me as more conservative generally. When I asked previously the PHC list failed to present strong arguments on how much of the presumed hardness of 'memory hard' functions are fundamental. I have not seen strong evidence that anyone has a firm grasp on what the impact of future memory technologies and silicon topologies (e.g. what effect does through silicon vias and 3d parts have on your latency assumptions) will do this this problem, or a good handle on how "operating cost" vs amortizable construction costs, should be handled. In that light, it can be useful to analyze thing where more debatable costs are set in the attacker's favor.
Powered by blists - more mailing lists