lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Aug 2014 08:09:14 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Tradeoff cryptanalysis of password hashing schemes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/24/2014 04:25 AM, Dmitry Khovratovich wrote:
> Also, given our limited insight into the hardware and
> cryptanalysis development over the next years, having no security
> margin does not make sense to me at all.

Two things:

First, Solar Designer is right.  Picking optimal hashing parameters
involves no "safety margin".  If you hash less memory because you are
overly concerned about TMTO attacks, then your algorithm does a worse
job than it should at protecting passwords.  If you hash more memory
because you are not concerned enough about TMTO attacks, again you do
a worse job protecting passwords.  Our job is to make such trade-offs
to help any given password to be as secure as possible.

Second, I think you need to develop better insight into hardware that
attackers can build today before worrying too much about the future.
For an ASIC attack, your proposed read/write times are way to fast,
and the die size for your proposed multi GiB on-chip cache would be
several square inches.  We simply can't build such chips.  Your theory
that SRAM will save you power is wrong.  No one-transistor DRAM cell
is going to leak more power than a six-transistor SRAM cell.  The
reason we use SRAM instead of DRAM on our ASICs is that ASIC processes
optimized for logic speed rather than gate leakage, and because SRAM
cells are far faster to read than DRAM cells.  Even so, DRAM has been
making inroads into ASICs, partly because it reduces power.  Your
estimate that static power loss dominates heavily over dynamic power
in the RAM when constantly accessed at maximum speed is simply wrong.
 You need to find an ASIC designer to help you with these estimates.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT+dXnAAoJEAcQZQdOpZUZcSEP/iVhEfAAn7FJSNEB+sinZ9Gq
0kJtoPSvuqlzYCjsOdU+erXjqN9VekK8SDldjAnyyU6dK61nb3ISBJLWMwss3naV
kmt9mOvAaPoE6qfdp4XOlpYrawpUX2pn9+SuBGBEOtloVXzGo65WLJCiRg7FolVK
+uEQf/K5AkwVXVZsSJh9YaNLZpggKC1Rxipe2Z5xm5orPUa370V+sYq0w4nm7xhO
uAqFs83diJ3zLYiRBTmFxSXsZ3NVT0OUuiZVHnMBcr360TuP11dR02RWHq9Ujxgv
wTw99RWV3i7JkSQ9qhroAUUiE7bHuUeNx4bohwYHDZC8NVwN1W5vfI18JW8JqQ8q
D1n32H9P2cQQCaKLzdn/SMPKDg/iqSxfbHg5+Gl/dKL1iAcFC7duA0yQqL76Yx2P
CnL0EoRFGvtmEda/9vpOzSQKYBh21wVGONb9qVIujWZ235AamPEWVmpTTuke7cFC
sODsJM9Ym/6TgZEA/3vu4PoEUt+ODaEtlVCbJhFWPlSfTWKEPWTpuZuU72wAtAO6
sYx9DElSVPsk2vKiDv3UiqPH7bgiVbWlPQefiHisNH7VwQe0oDsi+imrXVUl5WNp
urXWpsi3WZMiiMDlvF8uyMriXUDgn1PPLEeOH5dELPMvXz9benrXZZhhM4RCMCAK
MuUzQgENMOtoGnquJ8xa
=eZ3g
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists