lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jun 2014 06:53:12 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Re: TwoCats multiplication chain

On Tue, Jun 24, 2014 at 11:03:48PM -0700, Alex Elsayed wrote:
> Solar Designer wrote:
> 
> > So while it could be a good idea in terms of bits mixing, I think it is
> > not good enough to implement with individual instructions (until a CPU
> > gets a single instruction like this, with same latency as MUL alone).
> 
> I wonder if it'd be feasible to piggyback on the push for GCM and use CLMUL 
> and its (prospective?) siblings on other architectures.

I thought of that, but for a different purpose: to buy some unfriendliness
to CPU/GPU architectures that don't yet have CLMUL (especially GPUs).
I think AES-NI and PSHUFB/VPPERM might be better for that purpose,
although we could add CLMUL to the mix too. %-)

As to ASICs, I agree with Thomas about CLMUL.

For yescrypt, I felt that it's preferable to be friendly to those CPUs
that don't have CLMUL yet, and to have greater ASIC resistance.  Hence
no CLMUL there.

Alexander

Powered by blists - more mailing lists