| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <53FE69A7.3040605@ciphershed.org> Date: Wed, 27 Aug 2014 19:28:39 -0400 From: Bill Cox <waywardgeek@...hershed.org> To: discussions@...sword-hashing.net Subject: A review per day - Yescript -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Actually, I just realized that Yescript should have been first, not Yarn. Anyway, I have not bothered to review Yescrypt much, mostly because I already know about it from discussions on this list. Alexander has not had the benefit of the opportunity to defend Yescript against my complaints :-) Now, I have complaints against them all. The perfect hashing scheme simply is not possible. I'll try to point out what bothers me about TwoCats when I get there, but I hope you guys will chime in and properly thrash it! The positives for Yescript is a long list, as it is the most feature-rich entry, and every feature was thought out with intense care by Solar Designer. Possibly the thing I like most is how the Yescrypt code is up there with Samuel Neves' in terms of SIMD efficiency. Blake2b is clearly the most popular hash function among PHC entries, and being derived from Daniel J. Bernstein's work is a big part of that, but I actually credit Samuel Neves for the amazing SIMD efficiency that launched Blake2b to it's dominant popularity here. Solar Designer is the only author here capable of holding his own with Samuel, IMO, when it comes to SIMD efficiency. Yescript's "parallel wide transform" is not something I could have designed. Probably Samuel could do it, but I see no evidence that anyone else in this competition could beat the the "PWX" function Alexander designed. Most of us decided to try and "win" on some parameter in the competition. That enables us to more likely push the state of the art, at least in one way. Lyra2 wins in the Scrypt inspired category in TMTO defense. It pushed the state of the art. TwoCats wins in the Script inspired category for raw hashing speed per CPU (though I have to define the Script inspired category carefully to exclude EARWORM :-) I could go on for a while about how most entries tried to "win" on some particular thing. Yescrypt is the only entry with the audacity to try and either win or place in them all. Pretty much all of us can pick on Yescrypt for how it's not the best at X, Y, or Z. It's slower per CPU at hashing than TwoCats, and not as TMTO resistant as Lyra2. However, instead of optimizing *one* aspect of defense over everything else, Yescrypt actually aims to optimize *defense*. If we measure the entries for their ability to defend passwords, IMO, Yescrypt wins. He has simultaneously optimized at least 20 different dimensions of defense. All that said, here's the positive list. I dump on Yescrypt after that, so keep reading... I am stealing from the wiki here, but I did help write this :-) - - High flexibility and large arsenal of defenses - - Scalable to arbitrary SIMD vector width and instruction-level parallelism - - Optional TMTO resistance - - Optional bcrypt-like GPU unfriendliness (especially important at low memory usage settings) - - Optional multiplication latency hardening (efficient at least on common x86 and ARM CPUs) - - Running time optimally tunable separately from memory usage and parallelism - - Capable of maxing out CPU, SIMD units, cache bandwidth, external memory bandwidth, all simultaneously... I have to go for now, so I'll put off the dumping on Yescrypt until tomorrow, but you guys feel free to chime in! Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJT/mmjAAoJEAcQZQdOpZUZxRkP/RXt7wDAtwl6zA8SYn46JxqN yCTMNqlgBelvAiai4OLL8aTravmKl8pL458Og33pd4khebWaJ8qcg0FcVMHW0fbA FiwRdRn4vxhEAaMhl4+x1bT1X0MmUVWPxAQmsAWt0oKW8RNmRCdIoGtLY8FiphcP J0aDbhLM/okJK4a2998hF1tIQ5MPdjiQpBXV99Z8XXj6IbLww97riBt1KtivGOdu G7htl+5HW4+b9CqX0J/R91C5J5BXlKtcHouhasGmFO844GN0Z0ydNw3CsoFSx9Jh MfaEFoW89S3dX6GnwuiJaCi/RnSNT01sP2tD2oVtdimewmkUF4Mo7URAT1NKExbi VgExJMl7KRwfflqzQnr8uqc4/lI4+64Xwl+v8ta6bImmxVJEpsLlsHOXxHynXRed J9/XShhVFcEzGoZqO4aIg0m+x9+06T1HW0IIsMPKFm/1ugM8uDksnB7z52d0rFPB OwLV9CSlD0LleTgkz9AQRg4AU+ZjVbEKv+d7M6T+R7fLOblZllPjZTmXfP2dA9++ Ki2pguUy/kinwu47d6KjPcfRL5SSggcWETrrlS9iwU358fCSDwdNMKICrrXq5riJ HVWk7LEDyZlo7PV4B4YvfkjLLaCPFtIf57eM2+tnYoq5kWmI2oPsimhB8WdwHsIu 1LvUJ87ao2ER2BuOzzsS =LYU6 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists