| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOLP8p7qZ8A=hKz-zy2zobtaYxCG1WLt6x5kT_2oSuPtwsVfCg@mail.gmail.com> Date: Sat, 5 Apr 2014 13:24:33 -0400 From: Bill Cox <waywardgeek@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Re: EARWORM review On Fri, Apr 4, 2014 at 10:06 PM, Daniel Franke <dfoxfranke@...il.com> wrote: > Bill Cox <waywardgeek@...il.com> writes: > Even if the change doesn't significantly mitigate any known attack, on > further reflection I think EARWORM is currently breaking a cardinal rule > of cryptographic design: unnecessary structure is bad! I guess I can > postpone my decision on EARWORM until the next round, but the > GPU-friendly variant I'm developing (it's going to be called GLOWWORM) > is definitely going to have a flat arena. For gGLOWWORM then, I recommend a parameter for setting the state size. If for some reason a 512 bit state is not doing the job, a 1MiB state should! If you're doing 12GiB hashing per core on a server, that's a bit more than 12,000 workunits/second. That leaves me most of a millisecond to take whatever 512 bit results were computed from a workunit, and route them to another computing node, without data in transit dominating over data in computation. I think that's a pretty sensitive ratio. If I had to route 1MiB of data to another node to have it hashed with 1MiB of data, the whole concept would be pointless. Another possibility is reducing the workunit size. If a workunit were 4096 bytes, and the state were also 4069 bytes, this also defeats my scheme. Bill
Powered by blists - more mailing lists