lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Aug 2013 21:40:07 -0400
From: Daniel Franke <>
Subject: Re: [PHC] The EARWORM password hash

CodesInChaos <> writes:

> With memory hard schemes like scrypt it's easy to put a lower bound on
> the cost specialized hardware incurs per password guess.
> With bandwidth based schemes this isn't so obvious. Are there any
> papers analyzing this cost?

To the best of my knowledge, this is a completely open problem, and one
which is ripe for research and debate during the coming two years.

The initial security analysis that I plan to include with my submission
will be based upon a model in which the adversary gets zero-latency AES
circuits for free, but pays market price for commercially-available
memory technology.  The optimal choice of memory technology for the
attacker is the one which can provide the lowest cost-per-unit-bandwidth
for (16 * CHUNK_AREA * 2**m_cost) bytes of storage.  One obvious
refinement to this model is also to take the costs of electricity and
cooling into consideration.

I do not plan, at least before January, to attempt to model what might
be achieved through custom memory design. I feel reasonably comfortable
making this omission, on the basis that any solution to the problem of
providing cheap high-bandwidth read access to large volumes of storage,
without resorting to creating duplicate copies of the storage, obviously
has broad-ranging applications to endeavours that are a lot more
lucrative than password-cracking. If it were easy, somebody probably
would have done it already. Nonetheless, over the course of the
competition, I certainly hope to foster some discussion about the
possible impact of future advances in storge technology (cheap 3D
ASICs?) on the security EARWORM and similar schemes.

Powered by blists - more mailing lists