[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <4509E222-447C-4190-BF7F-30651E13C2D2@gmail.com>
Date: Tue, 21 Jul 2015 20:23:02 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Cc: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Argon2 v1.0 versus v1.2
Our current intention is to wait for the updates proposed/requested by the panel and to integrate those with Argon2 v1.2
Thus neither v1.0 nor v1.2 is the final version, but v1.2 is closer to it and whatever security analysis you are going to make probably should target v1.2 first.
Best regards,
The Argon team
On Jul 21, 2015, at 18:49, Samuel Neves <sneves@....uc.pt> wrote:
> On 21-07-2015 17:07, Corrigan-Gibbs, Henry wrote:
>> Since the two versions use different “indexing functions," I imagine that the time-space trade-off for the two schemes could be quite different. Version 1.0 was the PHC winner, so I am tempted to spend my time looking at v1.0. At the same time, if v1.2 is the version that the world will use (assuming that the world starts using Argon2) I should probably focus on v1.2.
>>
>> Is one of these two versions the "authoritative" one? Are there known flaws in v1.0 that provide a rationale for using only v1.2? I looked through the mailing list archives, but was not able to find any discussion of Argon2 v1.2.
>
> Argon2 v1.2 was announced on June 22 on this list, but appears to not have been archived. The announced modifications
> were presented as an optional update to be considered post-PHC (i.e., now). Below I quote the announcement by Dmitry
> Khovratovich:
>
>> Dear PHC community,
>> following discussions in the PHC forum we decided to further increase the
>> circuit depth and improve the tradeoff resistance of Argon2. We propose an
>> optional update with two main changes:
>>
>> 1) The "random" memory block is not uniformly selected but with a
>> distribution skewed towards later blocks. This gives both higher tradeoff
>> resilience and more uniform memory access. The distribution is similar to
>> that in TwoCats, though for the moment we slightly prefer quadratic (rather
>> than cubic) power function as it minimizes the AT gain for a tradeoff
>> attacker. The detailed design rationale is provided in the update
>> description.
>>
>> 2) The round function of Blake2b is replaced with BlaMka (each addition is
>> now accompanied with a 32x32 multiplication) in order to increase the
>> circuit depth. In total we add 512 MULs per 1-KB block with shortest chain
>> having 12 MULs.The structure of the compression function remains the same
>> for the moment (thus some extra parallelism is still in place), since such
>> a change apparently requires a very involved analysis.
>>
>> Both modifications affect the performance (the first one increases the
>> speed, whereas the second one decreases it). In total, Argon2d (and
>> Argon2i) would run slower by 15% with multiple threads, and by 45% with 1
>> thread.
>>
>> This update should be considered as a post-PHC modification, i.e. the one
>> that is deployed after the winner is declared.
>>
>> The update is described in a separate chapter of the design document
>> (chapter 3 in https://github.com/khovratovich/Argon2/blob/master/Argon2.pdf
>> ).
>> Both optimized and reference implementations are ready for downloading and
>> testing in a separate branch
>> https://github.com/khovratovich/Argon2/tree/enhance
>>
>> -- Best regards, The Argon team
>
>
Powered by blists - more mailing lists