lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Jan 2016 08:03:48 -0800
From: Bill Cox <>
To: "" <>
Cc: Jean-Philippe Aumasson <>
Subject: Re: [PHC] Re: Attack on Argon2i?

This is the same effect I pointed out during the competition in my paper:
single-pass cache-timing-resistant algorithms _always_ have a free 2X TMTO,
meaning 1/2 the memory with no recomputation penalty.  From there, it is
fairly difficult to defend memory up to about a 3X memory reduction, before
computation time starts increasing faster than memory is decreasing.

My rule of thumb: cache-timing-resistant algorithms have about 3X lower
time*memory defense.  It is simply the nature of the problem.

This is why we use 3 passes in Argon2i and Catena.  It is also why I prefer
single-pass Argon2id for applications that do not require strong
side-channel resistance, such as FDE password stretching.  I personally see
no use-case for Argon2d.  Single-pass multi-thread Argon2id seems just
about perfect for Intel/AMD software FDE.  Now, if I could just get this
working fast for 1ms hashes, and make it more efficient for ARM...

A 5X memory reduction with no computation penalty against single-pass
Argon2i would surprise me...  guess I'll have to read the paper.


Content of type "text/html" skipped

Powered by blists - more mailing lists