lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAAEkTiRiuiRBvjB8CXOZAeOH3hpQmcJ1ve-rDSg0GnDcmii9rA@mail.gmail.com>
Date: Tue, 1 Sep 2015 23:33:07 -0700
From: Andrew Ekstedt <andrew.ekstedt@...il.com>
To: discussions@...sword-hashing.net
Subject: Comments on Argon2 v1.2.1

I recently wrote an implementation of Argon2 in Go [1], and in doing so
came across some areas where the spec and the reference implementation
diverged. Please see my comments below.

I have patches that resolve the issues with the initial hash and
blake2b_long in favour of the spec, and can send them if desired.

Andrew Ekstedt

[1]: https://github.com/magical/argon2

======

When computing the initial hash H_0, the reference implementation calls
blake2b_final twice, discarding the result of the first call. This
is a problem because blake2b_final is not idempotent; the result of
the second call is different from the result of the first.

It also makes things difficult for the Go implementation because the
BLAKE2b library for Go is careful to make its Final method idempotent.

https://github.com/khovratovich/Argon2/blob/d9304a5ecac9fc5b47befd25cbfce6ed026042fe/Source/Core/argon2-core.cpp#L339

---

Section 3.2  of the spec states that when initializing the matrix,
B[i][0] and B[i][1] are computed from the Argon2 block permutation G,
but the reference implementation uses blake2b_long instead.

https://github.com/khovratovich/Argon2/blob/d9304a5ecac9fc5b47befd25cbfce6ed026042fe/Source/Core/argon2-core.cpp#L268

---

Section 3.3 describes how to obtain the final output of Argon2:

        The hash function is applied iteratively to B_m, each time
        outputting the first 32 bytes of the 64-byte hash value, until
        the total number of output bytes reaches τ.

The reference implementation defines a function blake2b_long to perform
this, but deviates from the above description in the following ways:

* the input to the first hash is prefixed with
  the output length τ (4 bytes, little-endian)

* if τ is less than or equal to 64 bytes, blake2b_long computes BLAKE2
  with a digest size of τ and returns the entire result. Note that this
  is not equal to the τ- truncated 64-byte hash because BLAKE2 includes
  the digest size in the hash calculation.

* if τ is greater than 64 bytes, the first output blocks are computed as
  specified, and the last 33- to 64- byte block is computed as above

https://github.com/khovratovich/Argon2/blob/d9304a5ecac9fc5b47befd25cbfce6ed026042fe/Source/Blake2/blake2b-ref.cpp#L396

======

Powered by blists - more mailing lists