[Cfrg] Argon2 v.1.3

Dmitry Khovratovich <khovratovich@gmail.com> Thu, 03 March 2016 10:07 UTC

Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404611B4067 for <cfrg@ietfa.amsl.com>; Thu, 3 Mar 2016 02:07:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZ6TVWys4H_i for <cfrg@ietfa.amsl.com>; Thu, 3 Mar 2016 02:07:50 -0800 (PST)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5F881B4066 for <cfrg@irtf.org>; Thu, 3 Mar 2016 02:07:49 -0800 (PST)
Received: by mail-ig0-x235.google.com with SMTP id g6so15819196igt.1 for <cfrg@irtf.org>; Thu, 03 Mar 2016 02:07:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=ATq+PGYaxNq7CAY48s9Cd6wKg3Vpc7FsTm15EKpWJTk=; b=pmV8DEln1lFAQhXKBxmQKQZRx5mILqp1MuvG6VUUVAQGsQSlrw5n5/+zBTAPbPAV3p ynnWot/pcY473AsDTHfF6mFZjxX3IAlf74DCKZWeBJKWVnjfx06d6muK1Vc3ORFZSp7n RMz7bxL8ty1klz0gNUe1t8gn7QVn+ynHyjQ2Iy21JEh9/91ZmFRYeS0zzi6ji0wCP5GF 4hV8jxRa/YBBAo6q/rL0Y4TvjzYr1Ho5azI8Z0uauWvDmSDt5Hf0lBl50IFFXwUYdZ99 b9E4LTCiijU/U0JRhhD9Hsib+oRHJfc41iuYHY4y9+svX5czPHXdkXuAASJULOTxuBTB xI3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ATq+PGYaxNq7CAY48s9Cd6wKg3Vpc7FsTm15EKpWJTk=; b=Na2BNJuJ3wOEG5Q38NfdmD6w2/4xtQHovhl4DIJlRHHswM/ilMJtQp1M3HL5VqJOrY yDAVXshprJGgu8e9ug9VqGdIC1hvmg8aVhR97BNuZMinChFsWAZ7R44PFeiLMgqwSrSy bLVNjMZFkHfKIyyMLnYTKyIxQ9lm5fQrC3I+pexNQvuaXtehI1ck/yW5OOd976EX5gNl PHUUBJYH4okN7a9m9P3IHxG0nTcHC7hCMoJvUibahOyvXOw1vui8UwgQFVEYJ0pnrYk9 DoiSXcQ8k5kgSDJeqWEC9ITLLTm+gtJ7mzsl5ZpJajdKuIbFoRlUdj3A/PAX7ykKT7qz LYWQ==
X-Gm-Message-State: AD7BkJJX+rH7nbW9i9ytFxcweqPGYrVXEoDR1hQ0yWdnjYhs369xsH8XFdHGFMz6Zv7hLrZL+Dl2mv1BVqbbsA==
X-Received: by 10.50.124.41 with SMTP id mf9mr4883677igb.53.1456999669284; Thu, 03 Mar 2016 02:07:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.223.16 with HTTP; Thu, 3 Mar 2016 02:07:34 -0800 (PST)
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Thu, 3 Mar 2016 11:07:34 +0100
Message-ID: <CALW8-7KkAD_-MNvPUOEzxoTVO98Bug6M85K4qRAYZDX4CrEpOQ@mail.gmail.com>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary=089e010d9618b9db45052d222bb7
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/beOzPh41Hz3cjl5QD7MSRNTi3lA>
Subject: [Cfrg] Argon2 v.1.3
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2016 10:07:52 -0000

Dear all,

We have prepared the new version 1.3 of Argon2 [2], which addresses the
memory optimization strategy by Corrigan-Gibbs et al. [1]. The method in
[1] allows running Argon2i with 1/3 of required memory for any number of
passes without computational penalty.

The main tweak of version 1.3 is the XOR of a new block into the memory
instead of plain overwrite. This tweak not only eliminates the problem with
multi-pass Argon2i, but also increases the memory bandwidth thus making it
more ASIC-resistant. The tweak applies to both Argon2d and Argon2i.

The specification [2] contains the analysis of the attack and its status in
the new version (Section 5.2). It also discusses the recent attack on
Argon2i by Alwen and Blocki [3], showing that for (3 and more)-pass Argon2i
it is not efficient (Section 5.6).

The code update (to be merged soon with the primary codebase) contains new
test vectors and the optimized implementation. The new version is 5-10%
slower depending on the platform.


We plan to prepare the new RFC draft ASAP.


[1] http://eprint.iacr.org/2016/027.pdf
[2] https://www.cryptolux.org/images/0/0d/Argon2.pdf
[3] http://eprint.iacr.org/2016/115.pdf

-- 
Best regards,
the Argon2 team