lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jan 2014 22:01:24 +0000
From: Marsh Ray <maray@...rosoft.com>
To: Krisztián Pintér <pinterkr@...il.com>
CC: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: RE: [PHC] A must read...

From: Bill Cox [mailto:waywardgeek@...il.com] 
> Serial multiplications force the attacker to compute for a similar amount of time as me.

> A 32x32 -> 32 multiply takes 3 cycles, or almost 1ns on my development
> machine.  By having a single multiply operation in the inner loop that
> computes hash data along with one or two 1 cycle operations, we
> can have the multiply delay dominate the runtime.

The attacker may not care as much as the defender about the absolute latency to achieve a result, only the throughput. So he may be able to utilize deep pipelines better than the defender.

I only dabble in such things, but let's imagine we had a 40-stage multiplier which could produce a result every single clock at or near the maximum toggle rate for that chip process. How will the proposed designs prevent the attacker from keeping such a pipeline well fed?

> The high memory bandwidth caps his ability to integrate and lower costs.

Is it really the memory bandwidth? Or the random-access latency.

> The combination seems to maximize his cost*time.

The attacker is free to choose whatever hardware configuration he wants, including hardware identical to that of the defender. So we can't really impose costs on the attacker, we can only seek to minimize any advantage he might gain through the use of techniques not available to the defender.

I know it may sound like I'm being pedantic, but to me these are essential points!

From: Krisztián Pintér [mailto:pinterkr@...il.com] 
> please note that the proposed hypothetical machine consists of 2^32 units. if you want
> to add $4 memory to all of them, we are talking about 16bn dollars + a new power plant.

It's doubtful humans have ever even chosen 2^32 unique passwords. No data breach will reveal 2^32 passwords.

We know there are certainly attackers with ASIC capabilities and 9-figure budgets for cracking hardware and who do locate their data centers next to power plants.

We know there are botnets with 7-figure numbers of nodes who don't pay their own power bills.

So maybe the best model of the attacker is not in terms of a fixed number of computational units, but instead, things like energy costs, hardware budget, etc.

> granted, you work for MS, so you can imagine that :) but not many others can.

Oh believe me I asked for the keys to that car but my request is still pending approval :-)

- Marsh

Powered by blists - more mailing lists