[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150421032631.GA18820@openwall.com>
Date: Tue, 21 Apr 2015 06:26:31 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Argon2 modulo division
Dmitry, all -
It appears that Argon2 uses modulo division with arbitrary (and
changing) divisors (usually not powers of 2). Argon2d applies this to
secret-dependent integers. This is an extra source of timing leaks, on
top of secret-dependent lookup addresses.
Do we consider this a drawback?
TwoCats had this too, but I avoided this maybe-drawback in yescrypt.
Alexander
Powered by blists - more mailing lists