lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Apr 2014 19:05:58 +0200
From: Krisztián Pintér <pinterkr@...il.com>
To: discussions@...sword-hashing.net
Subject: babbling about trends


for some time we have a lot of talk around here about like GPU, cache
lines, etc. this got me thinking. maybe we focus too much on today, as
opposed to tomorrow?

so here are some thoughts, not facts, i came up with.

1. aim of strengthening

we want to use what we have for free, so the attacker has to pay for
what we have paid for. what we have, identified by Colin Percival (at
least he advertised it), is mostly RAM. but we have other things as
well, like complex circuits for multiplication/division, AES, sine. we
also have in-chip storage (in the realm of 2000+ bits on high end
CPUs), cache, multiple cores and pipelines, etc, which some designs
attempt to exploit. all of these characteristics tend to be less
common than RAM, though some of them are quite common.

2. okay but what about tomorrow?

if we aim to develop standards for 10+ years, we need to plan for the
unpredictable future.

2a. memory

memory will no doubt be cheaper and cheaper. the question is whether
we will use more RAM or will it level out at 16G or 64G or something.
more precisely, what will be the price of RAM in a typical computer 10
years from now? because if it drops significantly, we lose edge. if a
computer of 2025 will have 64G RAM, but it will cost 1/100th of
today's price of 8G, attackers' cost drop significantly.

2b. architectures

this is really a mystery. my prediction is: single core performance
will not increase that much, but parallelism will explode. i also
envision the merger of CPU and GPU, and larger control over the low
level parallelism (GPU-like approach wins). as well as increase in
register space. at this point, regular crypto will be done entirely
within the CPU, using no RAM at all. long term keys will be kept in
registers, etc. i also forecast disappearing significance of cache, as
regular memory access times will catch up.

2c. technology switch

sooner or later we will switch to optical CPUs. i don't know a single
thing about what can we expect from them. how will they look like. and
we can only hope that quantum processing does not carpet bomb our
cryptography into ashes.

2d. cloud computing

as of now, only big fish can buy hardware in quantities to even hope
to break something with brute force. but how things are change if i
can just borrow the computational power for any time? granted, the
cost is still there. but only the cost of the actual computation, not
the manufacturing, shipping, assembling, setting up, just to be left
with tons of metal once the "project" is done. it will no doubt
increase the number of "players" in the game.

conclusion

i think we need to consider such long-term arguments when judging
proposals. we need to understand that "exhausting L2 cache this that"
kind of arguments does not hold up very well in a potential future
with no such thing as an L2 cache. they also does not hold up very
well in existing systems with no L2 cache. i'm not saying these
arguments are pointless, but their scope is limited, and this
limitedness is to be considered.

Powered by blists - more mailing lists