lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jul 2015 07:00:50 +0800
From: Ben Harris <mail@...rr.is>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Argon Indexing Function

On 29 Jul 2015 8:46 am, "Henry Corrigan-Gibbs" <henrycg@...nford.edu> wrote:
> The reference implementation on Github (in the "enhanced" branch) is
computing \phi in a slightly different way, so maybe the spec just needs to
be updated to match what is in the code. Or did I miss something here?
>

I don't think you are missing anything. The Argon team published attacks
against the index functions in other candidates. I expect that finding a
real permutation (maps input to output without any gaps or double ups) that
wasn't weak against the attack would have taken longer than the competition
format allowed, so an alternative type of index was chosen.

Now that there is time for tweaks it would be good to revisit the decision.
If 3 rounds of resistance is sufficient, I did post a modification to bit
reversal that resists Dimity's attack for 3 rounds with only a minor
increase in complexity over bit reversal (and in constant time). I haven't
looked at the specification enough to see if it is compatible though.

I think from memory that the index function at also keyed on the salt? For
Argon2i at least. It might also be worth looking at that at the same time.
(unless my memory is completely incorrect)

-Ben

Content of type "text/html" skipped

Powered by blists - more mailing lists