lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 07 Apr 2014 09:39:20 -0400
From: Daniel Franke <dfoxfranke@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] EARWORM (ROM hard is not enough)

Steve Thomas <steve@...tu.com> writes:

> The problem I have with EARWORM is that it's only good if the ROM is too
> big to fit in GPU memory. Currently we have high-end GPUs starting at 4 GiB
> with 12 GiB being the max (right?). You only need one copy of the ROM in
> GPU memory and since the state per each password guess is small (64 bytes)
> you can have several passwords being checked at the same time.

Yes, but only up the limit of available memory bandwidth, which on CPUs
you hit very quickly because EARWORM's inner loop is so fast. Defenders
can compute multiple workunits in parallel if one thread isn't enough to
saturate their memory bandwidth.

GPUs typically have more memory bandwidth available, but they're pretty
bad at AES because the table lookups are slow. If you want to cause
EARWORM some grief, figure out how to make a bitsliced implementation
of it that's able to saturate GPU memory bandwidth.

Powered by blists - more mailing lists