lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 10 Jan 2014 14:30:50 +0400
From: Solar Designer <>
Cc: Anthony Ferrara <>
Subject: Re: [PHC] scripting memory (not so) high

On Fri, Jan 10, 2014 at 09:35:10AM +0000, Peter Maxwell wrote:
> There's also going to be an absolute limit to how much memory can be used.
>  In many of my own setups the php memory limit is sitting somewhere between
> 64Mb and 128Mb, although sometimes a fair bit higher, e.g. I think Magento
> tends to need nearer 512Mb irrc.
> However, and this is the caveat, there's going to be a significant
> proportion of that already used.  So for a portable implementation of a
> memory-hard KDF we may be talking ~15Mb that can actually be used.

Yes.  I wish we could get anywhere close to numbers like that in PHP,
while retaining reasonable running time.

> In terms of performance, PHP will be not too bad

It is not too bad in terms of performance for SHA-512, but it is in
terms of limiting us to this primitive.  Specifically, bcrypt-like small
random accesses to a smaller portion fitting in L1 cache are way too
slow to do in PHP, yet would be needed for GPU resistance at small
memory sizes like 1 MB or less.

> but there is always the
> option of coding the scheme as an extension, i.e. in C.

If we stay with pure SHA-512 for the only required primitive, in order
to be scripting language friendly, then such a native extension would
provide only a ~2x to 3x speedup currently (with 3x only possible if we
were careful to include sufficient parallelism, having considered the
tradeoff that this involves).  Yet this may be done.

> I'm not sure what
> the score is going to be with other scripting languages or if people are
> intending on having things run on mobile devices.

I think scripting language friendliness is primarily for servers and for

In JavaScript, there's probably no advantage to using SHA-512 vs. the
smaller random accesses I mentioned above, though.

Anyhow, I am not happy with my current results from the smhkdf
experiment, yet I don't think we'll have anything substantially better
soon.  Currently, 1 MB with scrypt and thus almost certainly also with
smhkdf is weaker than bcrypt's 4 KB as it relates to CPU-defense vs.
GPU-attack performance.  For scrypt, these are on par somewhere at above
4 MB (yes, it needs to get 3 orders of magnitude higher than bcrypt's),
as known from YAC mining speeds.

Thus, if native code bcrypt is an option (such as via PHP's
CRYPT_BLOWFISH), I think it should remain preferable for a while longer.

Something along the lines of smhkdf at <= 1 MB may then be a fallback to
be used on PHP 5.1.2 to 5.3.6, as well as when the use of these hashes
is forced for portability to other scripting languages or/and to older
PHP, or for compliance (SHA-512 being NIST-approved, unlike the Blowfish
hack).  I guess e.g. Drupal might prefer having just the SHA-512 based
algorithm for these reasons, even if it's a few times faster to crack
than bcrypt with current GPUs at currently realistic settings.

It is a better fallback than phpass' and Drupal's current iterated
hashing that is not sequential memory-hard at all, but I'm afraid it's
not yet suitable for becoming the new default for all (with bcrypt still
being better as it relates to GPU attacks, which are still more likely
than attacks with ASICs, FPGAs, or many-core CPUs).


Powered by blists - more mailing lists