| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOLP8p4EGKu+jCKOTxQkT5qRVZv5QSSxdPSxaJ5Czpr9eTXq2w@mail.gmail.com> Date: Fri, 28 Feb 2014 12:29:03 -0500 From: Bill Cox <waywardgeek@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Future CPUs and GPUs? On Fri, Feb 28, 2014 at 12:06 PM, <pornin@...et.org> wrote: > "Don't sell the skin till you have caught the bear." Right now, nobody > knows what candidates will be submitted. The discussions occurring in this > mailing-list cannot claim exhaustivity (e.g. I did not discuss my own > submission). I think a prior message to this list claimed that there > should be about 10 or 12 candidates, but that's just an estimate and there > could be dozens of submissions from people who never actively participated > to this list. > > > --Thomas Pornin Good point. This also means you still have time to take Solar Designer's excellent research into why Bcrypt is so difficult for GPUs :-) Thus, you could be one of those "influenced" entries. Basically, if you have a loop where password dependent addressing is done, just try to do small data reads in it. Bcrypt does it from the start, doing 16 byte reads if I am not mistaken. I'm only doing it in the second loop, since the first loop in TigerKDF is predictable for cache-timing-attack resistance, but in the second loop I do 64-byte reads by default. I figure that likely makes it around 8X larger memory for CPU/GPU parity, or around 32KiB vs Bcrypt at 4KiB. Bill
Powered by blists - more mailing lists