lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jul 2015 21:12:41 +0000
From: Jean-Philippe Aumasson <>
To: "" <>, 
	Dmitry Khovratovich <>
Subject: Re: [PHC] Argon2 improvement thread

There's been some additions to the document, mainly by Bill (thanks!)

There's 3 main tweaks proposed to the algorithm:
1. blamka
2. maxform
3. non-linear indexing

Point 3. looks like a no-brainer to me; any objection?

@Bill, Solar (and others): blamka and maxform, respectively in Argon2i and
2d, is that what you have in mind, of maxform in both?

@Dmitry: what do you think? any other proposal of improvement?

Let's keep collecting feedback and ideas about
implementation/API/parameters/etc. We'll decide on those after we're done
with the actual algorithm.

I've been asked about how and by whom tweaks will be accepted. There should
at least be the ok of the designers and general agreement of the panel and
other no major objection.

On Wed, Jul 22, 2015 at 8:43 AM Jean-Philippe Aumasson <> wrote:

> Set up a working document to keep track of the proposed changes and of
> their status:
> Please feel free to edit and to add (signed) comments.
> On Tue, Jul 21, 2015 at 11:21 PM Bill Cox <> wrote:
>> On Tue, Jul 21, 2015 at 1:32 PM, Gregory Maxwell <>
>> wrote:
>>> On Tue, Jul 21, 2015 at 7:45 PM, Solar Designer <>
>>> wrote:
>>> > On Tue, Jul 21, 2015 at 12:24:00PM -0700, Bill Cox wrote:
>>> >> If Alexander proposed to integrate his PWXFORM (I don't know what
>>> >> is), then I would be for it.  This would satisfy my request for
>>> improved
>>> >> GPU resistance, and also my request for multiplication-chain
>>> computation
>>> >> time hardening.
>>> >
>>> > MAXFORM is the scalar equivalent to (and subset of) pwxform.  It's
>>> > neither parallel, nor wide, but is otherwise the same.
>>> >
>>> > It would co-exist with Argon2's existing SIMD code.
>>> Just to be clear--
>>> By existing SIMD code you mean the compression function that includes
>>> the BlaMka permutation from Lyra2?
>>> E.g. You'd run the MAXFORM in parallel using the otherwise untilized
>>> scalar multipliers concurrently with the existing (modified blake2
>>> based) SIMD?
>>> I consider it a virtue to leave no computational resource available to
>>> the defender idle...
>> Yes, that's what he means.  It might make sense to back off to the
>> previous reduced-Blake2 if the multiplication chains are already done in
>> the scalar unit.
>> I agree it's better to use more of the defender's resources.
>> Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists