lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jul 2015 12:50:52 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Argon2 improvement thread

On Tue, Jul 21, 2015 at 12:45 PM, Solar Designer <solar@...nwall.com> wrote:

> On Tue, Jul 21, 2015 at 12:24:00PM -0700, Bill Cox wrote:
> > If Alexander proposed to integrate his PWXFORM (I don't know what MAXFORM
> > is), then I would be for it.  This would satisfy my request for improved
> > GPU resistance, and also my request for multiplication-chain computation
> > time hardening.
>
> MAXFORM is the scalar equivalent to (and subset of) pwxform.  It's
> neither parallel, nor wide, but is otherwise the same.
>
> It would co-exist with Argon2's existing SIMD code.


Nice!  I was getting excellent multiplication-chain hardening with a
similar approach.  The scalar pipeline has a faster multiplier.

>
> > There are only two really outstanding SIMD-optimized mixing functions
> which
> > were used in this competition, IMO.  The choices are the reduced-Blake2
> > with or without it's multiplication modification, and PWXFORM.  I suspect
> > between Samuel Neves, Alexander, and the Argon2 team, they could figure
> out
> > the best solution.
>
> Switching Argon2 to use pwxform would be too much of a change - not
> code-wise, but design-wise.  If we were to do that, then it'd be better
> to go with (simplified) yescrypt or the like instead, which we already
> have separately (just not as the PHC winner).
>
> Alexander
>

Got it.  In that case, I'm for the MAXFORM upgrade.  I agree that
Bcrypt-like GPU resistance is a critical defense.  For example, without it,
I would have to use Yescrypt in the PoW systems I've been playing with
rather than Argon2.  With MAXFORM, would Argon2's GPU resistance be as
strong as Yescrypt's?

Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists