lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAEkTiRiuiRBvjB8CXOZAeOH3hpQmcJ1ve-rDSg0GnDcmii9rA@mail.gmail.com> Date: Tue, 1 Sep 2015 23:33:07 -0700 From: Andrew Ekstedt <andrew.ekstedt@...il.com> To: discussions@...sword-hashing.net Subject: Comments on Argon2 v1.2.1 I recently wrote an implementation of Argon2 in Go [1], and in doing so came across some areas where the spec and the reference implementation diverged. Please see my comments below. I have patches that resolve the issues with the initial hash and blake2b_long in favour of the spec, and can send them if desired. Andrew Ekstedt [1]: https://github.com/magical/argon2 ====== When computing the initial hash H_0, the reference implementation calls blake2b_final twice, discarding the result of the first call. This is a problem because blake2b_final is not idempotent; the result of the second call is different from the result of the first. It also makes things difficult for the Go implementation because the BLAKE2b library for Go is careful to make its Final method idempotent. https://github.com/khovratovich/Argon2/blob/d9304a5ecac9fc5b47befd25cbfce6ed026042fe/Source/Core/argon2-core.cpp#L339 --- Section 3.2 of the spec states that when initializing the matrix, B[i][0] and B[i][1] are computed from the Argon2 block permutation G, but the reference implementation uses blake2b_long instead. https://github.com/khovratovich/Argon2/blob/d9304a5ecac9fc5b47befd25cbfce6ed026042fe/Source/Core/argon2-core.cpp#L268 --- Section 3.3 describes how to obtain the final output of Argon2: The hash function is applied iteratively to B_m, each time outputting the first 32 bytes of the 64-byte hash value, until the total number of output bytes reaches τ. The reference implementation defines a function blake2b_long to perform this, but deviates from the above description in the following ways: * the input to the first hash is prefixed with the output length τ (4 bytes, little-endian) * if τ is less than or equal to 64 bytes, blake2b_long computes BLAKE2 with a digest size of τ and returns the entire result. Note that this is not equal to the τ- truncated 64-byte hash because BLAKE2 includes the digest size in the hash calculation. * if τ is greater than 64 bytes, the first output blocks are computed as specified, and the last 33- to 64- byte block is computed as above https://github.com/khovratovich/Argon2/blob/d9304a5ecac9fc5b47befd25cbfce6ed026042fe/Source/Blake2/blake2b-ref.cpp#L396 ======
Powered by blists - more mailing lists