| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Mar 2015 18:41:24 +0300 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Comparing speed of entries On Mon, Mar 02, 2015 at 06:10:25AM -0800, Bill Cox wrote: > Please excuse and correct mistakes below. [...] > Yescrypt wit t_cost == 1 (my preferred setting), Why not 0? > initializes memory like Scrypt doing 1 write and 1 block hash. With YESCRYPT_RW there are both reads and writes during the initialization phase as well. So 2 I/O's per block. > In the second loop, he hashes > 2/3rds of memory with two reads and one write. No, with one read and one write. And that's 2/3 with t = 1, but by default I recommend t = 0, in which case it's just 1/3. This is not "2/3rds of memory", etc., though - but how many block numbers are generated (some will be duplicate). For YESCRYPT_RW, t = 0, p = 1 it's 8/3*N I/O's total. So e.g. for 1 GB peak memory size, 2.67 GB of I/O would occur. For TwoCats, I think it was 2*N I/O's, so 2 GB of I/O for 1 GB peak. > This is a total of 5/3rds hashes per memory block, For t = 1, yes. > lower than any other remaining entry. My old TwoCats did 1 :-) Yes, but I think it makes more sense to count I/O's per memory block. The "hashes" may be easily scaled one way or the other by adjusting the round count of the primitive - well, except that we don't want to go below 1 round. > While Lyra2 has stronger TMTO defense it will be slower as a result, > lowering memory*time defense. It is not a clear-cut issue. With t_cost == > 1, I can do a 1/2 memory attack against Yescrypt with no change to > memory*time cost, which may help some attackers. I guess you mean with t = 0, and I guess you're referring to the area cost being just 2/3*N at 4/3*N time. Yes, that's by design, and with a different design it could at best be 5/6*N, which isn't that much higher, by the same time point. (In scrypt, it would have been 1/3*N at 4/3*N, except that scrypt can't be made to stop this early. In yescrypt, this becomes the new optimal stop point.) > However, especially when > running in external DRAM and 2 or more threads (how it _should_ be run for > disk encryption key derivation), memory bandwidth is the limiting factor. > In this case, Yescrypt's lead becomes significant, with an average of 3 I/O > operations per memory location, Why 3 I/O's per memory location? For p = 1, t = 0, it's 8/3, which is below 3. For p = 1, t = 1, it's 10/3, which is above 3. For p > 1 the number of I/O's reduces, as the final multi-threaded accesses to the shared arena are read-only. For t = 0 and high p, it's asymptotically 7/3. Anyway, these are close to 3. > compared to Lyra2's 6 This should lead to > a 2X advantage in Yescrypt's peak memory*time cost. My old entry had 2 > read/write operations per memory block :-) However, in Scrypt compatible > mode, Yescrypt does only 2 read/write operations per block, and is > equivalent in speed to my old algorithm, though mine had better TMTO > resistance in this mode. As you're aware, scrypt deliberately has no TMTO resistance, and I intentionally preserved this property in YESCRYPT_WORM mode. Alexander
Powered by blists - more mailing lists