lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAOLP8p4-MLDj5UCostH+MutUhzz1iXhku69nTYTR7_gpURtAXg@mail.gmail.com>
Date: Fri, 7 Mar 2014 20:56:31 -0500
From: Bill Cox <waywardgeek@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] TigerKDF paper and code ready for review

On Fri, Mar 7, 2014 at 7:13 PM, Solar Designer <solar@...nwall.com> wrote:
>> At least with AVX2 on Haswell, I would be surprised if Bcrypt's inner
>> loop were faster, so for hashing out of just L1 cache, I'm probably
>> good on that platform vs current GPUs.
>
> Are you trying to say that on Haswell you read 64 byte blocks as rapidly
> as bcrypt reads 4 byte blocks (also on Haswell)?  I think this is false.

I need to verify this, but I think the math last time showed that a
loop with 3 AVX2 instructions reading 2 32 byte values at a time,
hashing them slightly, and writing them back ran at the clock speed.
I should have said 32-bytes, not 64.  However, it's Friday night, and
I've had two glasses of wine, so I'm hanging it up for tonight!

> So you lose to bcrypt in terms of attacks with GPU implementations that
> choose to use global memory, and they will choose to do so if this is the
> faster attack.
>
>> As you say, it's the older CPUs that are problematic for GPU defense.
>
> Not exactly.  I say that older CPUs are more problematic for defending
> against GPU attacks when the same code+settings is attempted to be used
> for both older and newer CPUs.
>
> This does not mean that defending against GPUs is trivial on newer CPUs
> (at sub-megabyte memory per hash), unless you're willing to give up on
> certain other desirable properties.  This is not trivial.
>
> I'll try to find time to comment on the rest of your message later.
>
> Alexander

Sounds good, and thanks again for the comments so far.

Bill

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ