[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 10:54:34 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Argon2
On Tue, May 5, 2015 at 1:15 AM, Jean-Philippe Aumasson <
jeanphilippe.aumasson@...il.com> wrote:
> FTR, the panel had agreed to accept Argon2 as a PHC candidate, superseding
> Argon
>
Awesome! I do think this is the right decision.
As for potential tweaks, here's some dumb ideas:
- Argon2d/i are similar. Can we make it one algorithm that has a flag
specifying when to switch from cache-timing resistant mode to password
dependent mode? That would let one algorithm do both (something I can do
in TwoCats)
- Both Argon2d and Lyra2 are too focused on TMTO resistance, to the point
of running slower than needed. Cutting the Blake2 rounds in half in Argon
considerably speeds it up, as does reducing the memory writes in Lyra2.
This would improve both algorithm's basic defense.
- Both Lyra2 and Argon2 should use the modified Blake2 round with
multiplications for improved compute-time hardening
Argon2d is a late-comer and needs more work than Yescrypt or Lyra2, but it
looks promising to me, if enough tweaks are allowed. I don't know about
the other finalists, but the two strong Argon2 competitors are Lyra2 and
Yescrypt, both of which have already influenced the Argon2 design, I
think. I think both the Yescrypt and Lyra2 team would be happy to see the
best possible solution, which could be Argon2 in the end, if the Lyra2 and
Yescrypt authors were to cooperate with the improvements to Argon2.
I am a fan of the one-pass model in Argon2. It could be enhanced into a
winning algorithm, IMO.
Bill
Content of type "text/html" skipped
Powered by blists - more mailing lists