[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87io2zyvye.fsf@latte.josefsson.org>
Date: Tue, 12 Jan 2016 10:43:21 +0100
From: Simon Josefsson <simon@...efsson.org>
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
Cc: "discussions\@password-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: Attack on Argon2i?
Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com> writes:
> Appendix A claims a memory reduction on Argon2i:
> http://eprint.iacr.org/2016/027
>
> Not clear to me what's the actual efficiency of the improved attack though.
It says:
it is possible to compute the single-pass variant of the Argon2i
password hashing function [...] using between a quarter and a fifth
of the desired space with no computational penalty.
The attack appears to require a pre-computation phase to pre-compute the
time after which some blocks will not be needed any more, so they can be
discarded during the computational phase, thus saving memory.
So overall the computation appears is larger, and I'm not sure in which
attack scenario this approach would actually be useful.
/Simon
Download attachment "signature.asc" of type "application/pgp-signature" (473 bytes)
Powered by blists - more mailing lists