lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 21:03:24 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Argon2

On Tue, May 5, 2015 at 8:36 PM, Marcos Simplicio <mjunior@...c.usp.br> wrote:

> 1) For legitimate users, part of the PHS's computation time would be
> wasted calculating the indices to be visited, while attackers could do
> so only once and reuse the pre-computed indices in many threads,
> diluting the corresponding costs. To avoid giving more advantage to
> attackers than to legitimate users, the computation of indices should be
> as lightweight as possible (which is a goal in Catena and also in
> Lyra2's first pass).

In Argon2i the indices are produced in groups. 256 indices cost as
much as filling 2 memory blocks.
Therefore, the overhead is less than 1%.

>
> 2) Some salts/parameters will end up leading to weaker visitation
> patterns than others. This is unlikely to be critical in the long run,
> but that would be similar to having "weak keys" in cryptographic
> algorithms. So, if those are avoidable, it would probably be better.

In Argon2i indices depend on the block number only, not on the salt.

>
> My two cents, at least.
>
> Marcos.



-- 
Best regards,
Dmitry Khovratovich

Powered by blists - more mailing lists