lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 5 Apr 2014 13:24:33 -0400
From: Bill Cox <>
Subject: Re: [PHC] Re: EARWORM review

On Fri, Apr 4, 2014 at 10:06 PM, Daniel Franke <> wrote:
> Bill Cox <> writes:
> Even if the change doesn't significantly mitigate any known attack, on
> further reflection I think EARWORM is currently breaking a cardinal rule
> of cryptographic design: unnecessary structure is bad! I guess I can
> postpone my decision on EARWORM until the next round, but the
> GPU-friendly variant I'm developing (it's going to be called GLOWWORM)
> is definitely going to have a flat arena.

For gGLOWWORM then, I recommend a parameter for setting the state
size.  If for some reason a 512 bit state is not doing the job, a 1MiB
state should!

If you're doing 12GiB hashing per core on a server, that's a bit more
than 12,000 workunits/second.  That leaves me most of a millisecond to
take whatever 512 bit results were computed from a workunit, and route
them to another computing node, without data in transit dominating
over data in computation.  I think that's a pretty sensitive ratio.
If I had to route 1MiB of data to another node to have it hashed with
1MiB of data, the whole concept would be pointless.

Another possibility is reducing the workunit size.  If a workunit were
4096 bytes, and the state were also 4069 bytes, this also defeats my


Powered by blists - more mailing lists