lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Feb 2014 12:29:03 -0500
From: Bill Cox <>
Subject: Re: [PHC] Future CPUs and GPUs?

On Fri, Feb 28, 2014 at 12:06 PM,  <> wrote:
> "Don't sell the skin till you have caught the bear." Right now, nobody
> knows what candidates will be submitted. The discussions occurring in this
> mailing-list cannot claim exhaustivity (e.g. I did not discuss my own
> submission). I think a prior message to this list claimed that there
> should be about 10 or 12 candidates, but that's just an estimate and there
> could be dozens of submissions from people who never actively participated
> to this list.
>         --Thomas Pornin

Good point.  This also means you still have time to take Solar
Designer's excellent research into why Bcrypt is so difficult for GPUs
:-)  Thus, you could be one of those "influenced" entries.

Basically, if you have a loop where password dependent addressing is
done, just try to do small data reads in it.  Bcrypt does it from the
start, doing 16 byte reads if I am not mistaken.  I'm only doing it in
the second loop, since the first loop in TigerKDF is predictable for
cache-timing-attack resistance, but in the second loop I do 64-byte
reads by default.  I figure that likely makes it around 8X larger
memory for CPU/GPU parity, or around 32KiB vs Bcrypt at 4KiB.


Powered by blists - more mailing lists