lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Feb 2014 00:10:55 +0000
From: Peter Maxwell <>
To: "" <>
Subject: Re: [PHC] Is bandwidth all that counts?

On 11 February 2014 22:47, Bill Cox <> wrote:

> Having submitted my NoelKDF with it's multiplication compute-time
> hardening, I am now wondering if the compute time we force an attacker
> to spend matters at all.  An attacker will simply add password hashing
> cores, which are close to free, to his FPGA or ASIC, until his memory
> bandwidth is full.  If I force him to spend a full second to write and
> then read 4GiB once (which I do), he'll just run 5 of my hashing cores
> in parallel on an FPGA and fill it's 40GiB/sec memory bandwidth, doing
> 5 guesses per second, so who cares that I forced him to spend as long
> as me computing the hash?
> Now the reverse is not true - if we spend time on a complex hash
> function instead of filling memory rapidly, an attacker will be more
> efficient, maxing out his memory bandwidth while we don't, and that
> ration is pure win for the attacker.

Could you possibly run through that argument again, I think I'm missing
something (it's probably obvious but I can't see it at the moment).

​My problem is understanding why memory bandwidth is the critical factor -
is memory bandwidth inherently more expensive than the actual DRAM?

Content of type "text/html" skipped

Powered by blists - more mailing lists