[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOLP8p7kA7qzZ8XW7iv_7ae7Gta9Do_RLwEQBiSMZrJn0NCTXQ@mail.gmail.com>
Date: Tue, 12 Jan 2016 08:03:48 -0800
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Cc: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
Subject: Re: [PHC] Re: Attack on Argon2i?
This is the same effect I pointed out during the competition in my paper:
single-pass cache-timing-resistant algorithms _always_ have a free 2X TMTO,
meaning 1/2 the memory with no recomputation penalty. From there, it is
fairly difficult to defend memory up to about a 3X memory reduction, before
computation time starts increasing faster than memory is decreasing.
My rule of thumb: cache-timing-resistant algorithms have about 3X lower
time*memory defense. It is simply the nature of the problem.
This is why we use 3 passes in Argon2i and Catena. It is also why I prefer
single-pass Argon2id for applications that do not require strong
side-channel resistance, such as FDE password stretching. I personally see
no use-case for Argon2d. Single-pass multi-thread Argon2id seems just
about perfect for Intel/AMD software FDE. Now, if I could just get this
working fast for 1ms hashes, and make it more efficient for ARM...
A 5X memory reduction with no computation penalty against single-pass
Argon2i would surprise me... guess I'll have to read the paper.
Bill
Content of type "text/html" skipped
Powered by blists - more mailing lists