lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 12 Apr 2014 12:15:14 +0400
From: Solar Designer <>
Subject: Re: [PHC] Geeks like us can't write...

On Sat, Apr 12, 2014 at 12:28:33AM -0400, Bill Cox wrote:
> My favorite author in this competition is Solar Designer.  I just love
> his code.  It's that simple.  I'm also a big fan of  Samuel Neves
> code, but he didn't submit an entry, though many of us are using his
> Blake2 implementation.  I read all the authors' papers.  The best
> paper, IMO, may be Catena.
> Here's the sad part.  In the PHC, to varying degrees, good code is
> anti-correlated with good writing.  I may not be able to write a good
> paper, but I can tell when I'm reading one.  I can also tell when I'm
> reading inspired code.

While I have no problem accepting the "can't write" criticism, I think
in case of yescrypt the poor quality of the paper is largely caused by
me allocating a disproportionate amount of time to design and code, and
very little to writing the paper.  I could do it the other way around,
but I felt it'd be worse to need to make invasive changes to design and
code after making the initial submission than merely to want to describe
the existing design better.  I've been meaning to take care of the
latter after having met the formal requirements for the submission -
thus, in revisions to be made after the submission deadline - but
various work has distracted me from that so far.  (Of course, ideally I
should have allocated time way before the deadline.)

> My wife is a writer.  She married me anyway :-)  I hear her complain
> all the time that her interns or other writers "buried the lead",
> which is when we don't put the most interesting stuff at the top to
> help those of us who are too lazy to read papers carefully.
> Solar Designer, as well as several of the more amazing coders, buried
> the lead.  I want to fill in the "Strengths" section of the wiki for
> Yescrypt, and I thought just taking a quick peek at his paper would
> help me with the bullet points.  Nope!  The Catena paper made whole
> chapter headings out of bullet-point strengths, but Yescrypt buries
> the goodness in the details.

Yeah.  Basically, I focused on meeting the formal requirements for the
submission, which primarily required the specification (in the case of
yescrypt, it's how it differs from scrypt).  What I think I should do,
if/when I do find time, is re-arrange the text such that I start with a
list of bullet points, then proceed with specification, and then proceed
with analysis.  Right now, I have specification intermixed with bits of
analysis, and as you noted there are no bullet points.  (I also need to
add specification of pwxform.)

> Anyway, without a list of bullet points for Yescrypt to copy (like I
> did for Catena) I'm having to do what I suck at: write them myself!

Sorry about that!

> So, what are the most impressive strengths of Yescript, since Solar
> Designer didn't list them at the top of his paper?  I'm thinking:
> - Most full featured and flexible entry in the PHC

Yes, although some other entries have their unique/exotic features that
are not in yescrypt.  I am thinking of Makwa and PolyPassHash.

BTW, I couldn't have included a bullet point like that before seeing a
full set of other entries.

> - Script upwards compatible

"Scrypt".  Yes.

> - Highly tuned, and very fast

Maybe "Highly tunable, and very efficient"?

> - Suitable for a variety of applications and platforms

This overlaps with "full featured and flexible".

I also like to call yescrypt "scalable", in the sense that it provides
adequate security over a wider range of memory cost settings than many
other password hashing schemes do.  In particular, it's stronger than
scrypt at low memory cost settings, and it allows for higher memory cost
settings than bcrypt does.  Similar comparisons may be made against many
PHC entries as well.

> Broad array of tunable defenses (needs it's own list):
> - High external RAM usage, high DRAM bandwidth, high cache bandwidth,
> any one of which can limit an attacker
> - Tested and proven Bcrypt-like GPU defense, even while busting out of
> cache into main memory
> - Compute time hardened with serial multiplication chains
> - Optimised a wide range of CPUs from older AMD to the latest Intel Haswell
> - ROM optimized for improved authentication server performance and defense


Regarding the "wide range of CPUs", I have to note that (un)fortunately
the current compile-time defaults for pwxform are tuned for fairly
recent CPUs, which means Bulldozer or better, and Sandy Bridge or better.
On e.g. a Pentium 3, these same defaults result in yescrypt losing to
bcrypt in terms of GPU defense.  But the code is scalable down, with the
bcrypt-like anti-GPU defense intact, even for a Pentium 3 - with
different compile-time settings, which I need to make runtime tunable
via the flags.  (Pentium 3 itself might not be relevant these days, but
unfortunately SIMD-less builds are.  This is where bcrypt may win.)

> So, I'm afraid my effort at listing "Strengths" bullets is going to
> fall short.  Several outstanding coders in this competition have a
> similar problem.

I fully agree that it's better when the authors themselves write good

I appreciate your help with this!


Powered by blists - more mailing lists