lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Aug 2014 23:37:43 +0400
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Tradeoff cryptanalysis of password hashing schemes

Hi Bill,

>" They assumed that the power per password guess burned in memory is
proportional to the total amount of memory used, rather than the number of
memory reads and writes. "

The Luxembourg team did not assume that. We have summed the energy needed
to sustain the memory state with the energy needed to read&write and the
energy needed to compute AES/Blake2b. For static RAM this makes a huge
difference indeed. However, the dynamic RAM leaks much more energy in the
idle state, which makes the read-write energy term less dominant.

Dmitry


On Fri, Aug 22, 2014 at 8:21 PM, Bill Cox <waywardgeek@...il.com> wrote:

> On Fri, Aug 22, 2014 at 11:35 AM, Solar Designer <solar@...nwall.com>
> wrote:
>
>> On Fri, Aug 22, 2014 at 06:31:24PM +0400, Solar Designer wrote:
>> > Suppose you'd optimally attack Catena-3 at 1/32 memory, and Lyra2 and
>> > Argon at full memory.  However, if Catena-3 at same defensive memory
>> > cost setting is e.g. twice faster than Lyra2 and Argon (an arbitrary
>> > number for the sake of illustrating my point), then this may enable a
>> > defender to use roughly twice more memory with Catena-3 to achieve the
>> > same (maximum affordable) time cost per hash computed.  Once Catena-3 is
>> > tuned like that, its non-tradeoff area-time cost probably grows by a
>> > factor of 4, meaning that it loses to Lyra2 and Argon only by a factor
>> > of 8, not 32 as this could have originally appeared.
>>
>> I was wrong in "only by a factor of 8, not 32".  For a moment I confused
>> 1/32 being the optimal tradeoff point as the attack being 32 times
>> cheaper, but it's not as bad as that.
>>
>> Alexander
>>
>
> The paper made several good points, but I have trouble with this part of
> their analysis.  They assumed that the power per password guess burned in
> memory is proportional to the total amount of memory used, rather than the
> number of memory reads and writes.  This is simply not the case.  With the
> computation penalty increasing memory accesses, I suspect memory power
> would go up, not down, in any TMTO attack against Catena.
>
> I do not believe Catena-3 has a TMTO problem against ASIC attacks.
> However, with an ASIC computing 100 Blake2 hashes in parallel pipes at
> 3GHz, not in any way limited by memory latency when reading from 24MiB of
> cache... there is a problem.  The Microsoft presenter stated that 3 orders
> of magnitude difference in speed for one password guess between a CPU and
> an ASIC would be unrealistic.  He was simply wrong.
>
> Bill
>



-- 
Best regards,
Dmitry Khovratovich

Content of type "text/html" skipped

Powered by blists - more mailing lists