[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 13:06:56 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Argon2
We appreciate the panel's decision.
Argon2 will become even better. We plan to add new features and
security enhancements in a post-PHC tweak. The tweak will contain:
- new indexing function, that makes the memory access pattern more
uniform and also strengthens the TMTO resistance. We are currently
working out the best solution by
calculating the penalties for various existing (Bill's distancecubed,
Solar's sliding window) and our own indexing functions using the
improved version of the ranking tradeoff algorithm.
- new internal permutation that uses integer multiplication for
hardening and chains the subblocks in the way that maximizes the
non-tradeoff latency.
We plan to finish these ideas by the end of the month. The design
rationale will be published, as usual.
Today, however, we are proud to announce a feature for Argon2, that
makes it suitable for cryptocurrencies. Namely, it enables fast,
memoryless verification in a non-interactive way. In a concrete
example, a proof for running 3-pass Argon2 using 2 GB of RAM is only
500 KB in size and the verifier has to just hash (with Blake2) the
string of about the same size, i.e. this takes milliseconds.
The full paper is available here
https://www.cryptolux.org/images/9/95/Fast_memory_hard.pdf , and this
new feature is described in Section 8. You do not need to know many
details about Argon2 to read it.
Best regards,
the Argon team.
On Tue, May 5, 2015 at 10:15 AM, Jean-Philippe Aumasson
<jeanphilippe.aumasson@...il.com> wrote:
> FTR, the panel had agreed to accept Argon2 as a PHC candidate, superseding
> Argon
--
Best regards,
Dmitry Khovratovich
Powered by blists - more mailing lists