lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 17:56:29 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] Competition process

On Tue, Apr 14, 2015 at 6:32 AM, Solar Designer <> wrote:

> On Tue, Apr 14, 2015 at 10:31:08AM +0000, Peter Gutmann wrote:
> > Dmitry Khovratovich <> writes:
> >
> > >2) The submissions evolve over the competition period significantly,
> > >absorbing new ideas and constructions from the discussion, possibly even
> > >merging with each other. The confidence in the winner(s) comes from the
> > >consensus in the committee on certain features that are gradually
> integrated
> > >in the final version.
> >
> > That's the approach I prefer (see my earlier thoughts about allowing a
> final
> > round of updates for the top three, before a single best-of-breed is
> chosen).
> I think we might want to specifically encourage collaborative work.
> For example, it should be easy for Argon2 to adopt Lyra2's BlaMKa and
> make this the standard mode (whereas in Lyra2 it's an option), but it
> might be better for Argon2d to adopt yescrypt's pwxform (not for
> Argon2i, because pwxform makes data-dependent S-box lookups).

Excellent idea, IMO.  I would prefer to have an additional phase - an
upgrade phase _after_ winner(s) are selected, where winning author(s) are
asked to be open to improvements from others.

I still see room for improvement in Lyra2's password-independent phase and
potential for better GPU resistance, and I would like to have a t_cost
option that lowers it's minimum I/O operations per memory location.  Argon2
needs it's parallelism more under control, and we need a stripped-down
version of Yescrypt that is easy to understand and deploy.  POMELO might
need a well proven cryptographic hash applied at the end if we can't prove
it's security otherwise.  Several ideas from Catena could be used to build
a secure password hashing framework, which could include encoding/decoding
of parameters from strings, similar to what Pufferfish has.

> Argon2 is such an obvious improvement, it seems odd to keep it out so
> that the
> > decision has to be made on a previous-generation version.  Or, more
> > worryingly, that the decision on Argon might be made on the assumption
> that
> > what'll be adopted is actually Argon2, blurring the line over what's
> being
> > decided on.
> Agreed.
> Alexander

If anyone should feel allowing Argon2 as a finalist is unfair, it should be
me.  Argon2 is good, but not as strong as my TwoCats, IMO.

However, the product of this competition is not fairness - it's password
hashing algorithms.  I feel this process will be improved by allowing
Argon2.  I do not think it will be improved by revisiting the somewhat
painful selection of finalists.  So, I say let Argon2 in, and continue the


Content of type "text/html" skipped

Powered by blists - more mailing lists