| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Aug 2014 01:29:11 +0400 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] What Microsoft Would like from the PHC - Passwords14 presentation On Fri, Aug 15, 2014 at 06:17:27PM +0000, Marsh Ray wrote: > Passwords14 presentation: What Microsoft Would like from the PHC > > Slides attached. > > Video: https://www.youtube.com/watch?v=Kr6ruthF_4k Very nice presentation, thank you! Here's a biased opinion: On slide 14, "Use Case 1 - Online Services", you state "Multiple authentication servers, each handles 100s of requests/second". This means fairly low memory, possibly below 16 MB RAM per hash computed. (Depends on how many 100s of requests/second per server you need to support. Perhaps several times more than the peak seen so far; this is how we arrived at 1000s per second for yescrypt.) Then on slide 35, "Comparison", you list many PHC candidates as supporting all of your use cases. To me, some of them are unsuitable for "low memory" usage - they will work, but they are unlikely to provide GPU attack resistance comparable to bcrypt's at same defensive request rate capacity. Is being at least on par with bcrypt at your use cases not a requirement? Here's what I think is an error: Is Pufferfish v0 really side-channel resistant? I think it's similar to bcrypt in this respect, and we don't consider bcrypt to be cache-timing attack resistant, or do we? (I don't imply that all other PHC candidates with a "Yes" in that column are necessarily side-channel resistant. I merely noticed this one apparent error. There might be more.) Thanks again, Alexander
Powered by blists - more mailing lists