lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5535CF04.4000300@dei.uc.pt>
Date: Tue, 21 Apr 2015 05:16:04 +0100
From: Samuel Neves <sneves@....uc.pt>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Argon2 modulo division

On 04/21/2015 04:26 AM, Solar Designer wrote:
> Dmitry, all -
>
> It appears that Argon2 uses modulo division with arbitrary (and
> changing) divisors (usually not powers of 2).  Argon2d applies this to
> secret-dependent integers.  This is an extra source of timing leaks, on
> top of secret-dependent lookup addresses.
>
> Do we consider this a drawback?

As far as I can tell, the moduli themselves are not secret. Compilers know how to replace modulo reductions with
multiplications, shifts and subtractions---and it's faster too---so perhaps all such relevant contants can be
precomputed ahead of time (or, perhaps, computed concurrently with BLAKE2b rounds)? This, of course, does make
implementations more complex.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ