lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 14:04:09 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] "Attack on the iterative compression function"

On Fri, Apr 17, 2015 at 12:22 PM, Gregory Maxwell <gmaxwell@...il.com>
wrote:

> On Fri, Apr 17, 2015 at 5:05 PM, Bill Cox <waywardgeek@...il.com> wrote:
> > The Argon team does great work, but they continually warp there
> conclusions
> > to favor their incorrect world-view that the original Argon algorithm is
> > better than all the rest.  They use outlandish definitions for common
> things
> > like "time*memory" defense, and wafer-sized ASICs holding zero latency
> > multi-gigabyte nearly-zero power cache RAM.
>
> I'm appreciative of their approach, as it strikes me as more
> conservative generally.
>
> When I asked previously the PHC list failed to present strong
> arguments on how much of the presumed hardness of 'memory hard'
> functions are fundamental. I have not seen strong evidence that anyone
> has a firm grasp on what the impact of future memory technologies and
> silicon topologies (e.g. what effect does through silicon vias and 3d
> parts have on your latency assumptions) will do this this problem, or
> a good handle on how "operating cost" vs amortizable construction
> costs, should be handled.  In that light, it can be useful to analyze
> thing where more debatable costs are set in the attacker's favor.
>

Clearly the Argon team has some very good analysts and can do good work,
but they purposely mislead readers whenever they think it can help them
win.  If it were one time, or even twice, I'd let it pass, but this is a
continual flood of misinformation, always nicely formatted in academic
style papers, and always calling itself cryptanalysis.  To be more
specific, I believe they've purposely misled us in these cases:

- Their ASIC power analysis that requires gigabytes of near zero power
cache RAM, and a hefty amount of Unobtainium from Planet Pandora
- Their cryptographic security charts showing how Argon is the best, by not
showing the most important data
- Their TMTO attacks, always against a strong competitor, where they assume
an attacker has infinite computational resources, and redefine the term the
traditional "memory*time" cost

Throwing in Argon2 into the mix, with basically zero connection to Argon,
far after the submission deadline, while borrowing many good ideas from
other submissions, is another strike against their credibility, IMO.
However, Argon2 is a good algorithm, so I vote it goes forward.  I don't
care who delivers the best algorithm in the end, so long as the winner is
_actually_ the best.

Anyway, it's probably just wishful thinking to hope they will change, so
I'll only chime in to remind readers of this pattern from the Argon team
when they post more nonsense.

As for memory*time defense, 3D and through-silicon vias wont make memory
cheaper.  Incorporating the hashing logic onto the big DRAM chips could
dramatically reduce the memory bandwidth bottleneck, so these algorithms
need additional defenses, such as compute-time hardening and rapid
unpredictable small memory accesses.  I think Yescrypt currently has the
lead in this area, but I'm confident the Lyra2 team would be willing to
upgrade their algorithm if needed.

Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists