| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Sep 2016 13:32:58 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: [PHC] Can we add back Argon2id?
Argon2id was in the winning algorithm of the competition, but afterwards,
in version 1.3, it seems to have been dropped. Because data-independent
algorithms remains an active area of research with new attacks and defense
being published fairly rapidly, I cannot recommend Argon2i as the "default"
algorithm to anyone: there may be yet another attack or improved defenses
that make alternatives significantly stronger, and all purely
data-independent algorithms have worse memory*time defense in any case.
However, Argon2id has has no published attacks, and is basically as strong
as Argon2d against offline attacks. I can comfortably recommend it for
most x86-based applications, other than small-memory in-cache hashing (very
common for servers) and applications that absolutely require 100%
side-channel resistance (like some security keys).
Without being able to recommend Argon2id, I am left without a default
algorithm to recommend. I'd switch to Yescrypt, which I feel provides
stronger defenses in several important ways, but people really just want to
use the winner. It is a far easier sell.
Can we add back Argon2id?
Thanks,
Bill
Content of type "text/html" skipped
Powered by blists - more mailing lists