lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 21:03:24 +0200
From: Dmitry Khovratovich <>
To: "" <>
Subject: Re: [PHC] Argon2

On Tue, May 5, 2015 at 8:36 PM, Marcos Simplicio <> wrote:

> 1) For legitimate users, part of the PHS's computation time would be
> wasted calculating the indices to be visited, while attackers could do
> so only once and reuse the pre-computed indices in many threads,
> diluting the corresponding costs. To avoid giving more advantage to
> attackers than to legitimate users, the computation of indices should be
> as lightweight as possible (which is a goal in Catena and also in
> Lyra2's first pass).

In Argon2i the indices are produced in groups. 256 indices cost as
much as filling 2 memory blocks.
Therefore, the overhead is less than 1%.

> 2) Some salts/parameters will end up leading to weaker visitation
> patterns than others. This is unlikely to be critical in the long run,
> but that would be similar to having "weak keys" in cryptographic
> algorithms. So, if those are avoidable, it would probably be better.

In Argon2i indices depend on the block number only, not on the salt.

> My two cents, at least.
> Marcos.

Best regards,
Dmitry Khovratovich

Powered by blists - more mailing lists