Mailing List Archive

Balloon hashing (was: Argon2)
Hello,

Last October, I wrote about possible addition of Argon2 to libgcrypt.

Today, I am considering adding Balloon instead (or as well as Argon2).

Background: These days, we try to prepare FIPS mode for coming libgcrypt
1.10. In this context of FIPS compliant things, I'm afraid Argon2 won't
be approved algo by FIPS (in future).

This week, I read this document of NIST:

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

and it addresses Balloon [0] as one of examples. And I found that
Balloon is more FIPS friendly, as it can use FIPS approved hash
function.

Just like Argon2, it has three parameters (parallelism, space cost, and
time cost). Thus, it has same problem with the gcry_kdf_derive API
(which only has "iterations").

For parallelism, Balloon approach is straight forward: tweaking salt for
each worker thread, parallel computation by threads, and merging results
by XOR. (It's a bit simpler than Argon2 where its H0 includes
parallelism parameter.)

So, I think that we could only offer single-thread version of Balloon by
libgcrypt and assume use of parallelism by an application. This way, we
may avoid introducing thread dependency in libgcrypt.

[0] https://crypto.stanford.edu/balloon/
--

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel