| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52D6A65A.6060600@dei.uc.pt> Date: Wed, 15 Jan 2014 15:16:42 +0000 From: Samuel Neves <sneves@....uc.pt> To: discussions@...sword-hashing.net Subject: Re: [PHC] A must read... On 15-01-2014 14:54, Solar Designer wrote: > Besides integer multiply, I was considering floating-point, along the > lines of DJB's hash127 - or even taking hash127 as the crypto primitive: > > http://cr.yp.to/hash127.html > http://cr.yp.to/antiforgery/hash127-20040918.pdf > > But it does feel somewhat risky, and the latency guarantee is probably > similar to that of the integer multiply (not the latency per se, but > how it compares between CPUs and attack-optimized ASICs). A possible > advantage of the hash127 approach would be in using more of the die > area, especially in defensive implementations on GPU and many-core archs > (those many FPUs combined consume non-negligible die area). While using floating-point by itself might be an actionable idea, I'd advise not to use hash127. hash127 was designed during a time where even 32-bit integer multiplication was slow; now we have very fast 64-bit integers multipliers, which make hash127 much faster to compute in integer units. Ideally whatever you compute using the floating-point unit should be something that is hard to replicate with integer hardware.
Powered by blists - more mailing lists