>>>>> "Christoph" == Christoph Anton Mitterer <[email protected]> writes:
Christoph> Wouldn't it then be a better choice to wait for the
Christoph> availability of argon2?
Christoph> Not that'd I'd have any insight on whether yescrypt is
Christoph> much worse, but Argon2 is simply the winner and will
Christoph> probably receive the most scrutiny over the years. So it
Christoph> would seem like the wisest long term choice - just like
Christoph> most people use Rijndael/AES and not so much the other
Christoph> AES finalists.
No, what we had was not so good, and Yescrypt is reduced to a compelling
security proof.
I think the amount of analysis that various things are getting is a
factor we can consider.
I don't have any objection to moving to Argon2 once it's available, I
just don't know today that it will be critical to do so.
Amusingly enough, Debian openssh does not actually use AES for
encryption these days.
For a while AES really did have close to 100% of the responsible cipher
market despite its side channel issues.
These days, you'll still see Ipsec using AES, but the ssh community is
more likely to prefer something non-NIST-based probably still as fallout
from DRB plus a desire to have a wider crypto ecosystem.