lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Aug 2014 19:28:39 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: A review per day - Yescript

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Actually, I just realized that Yescript should have been first, not
Yarn.  Anyway, I have not bothered to review Yescrypt much, mostly
because I already know about it from discussions on this list.
Alexander has not had the benefit of the opportunity to defend
Yescript against my complaints :-)

Now, I have complaints against them all.  The perfect hashing scheme
simply is not possible.  I'll try to point out what bothers me about
TwoCats when I get there, but I hope you guys will chime in and
properly thrash it!

The positives for Yescript is a long list, as it is the most
feature-rich entry, and every feature was thought out with intense
care by Solar Designer.

Possibly the thing I like most is how the Yescrypt code is up there
with Samuel Neves' in terms of SIMD efficiency.  Blake2b is clearly
the most popular hash function among PHC entries, and being derived
from Daniel J. Bernstein's work is a big part of that, but I actually
credit Samuel Neves for the amazing SIMD efficiency that launched
Blake2b to it's dominant popularity here.  Solar Designer is the only
author here capable of holding his own with Samuel, IMO, when it comes
to SIMD efficiency.  Yescript's "parallel wide transform" is not
something I could have designed.  Probably Samuel could do it, but I
see no evidence that anyone else in this competition could beat the
the "PWX" function Alexander designed.

Most of us decided to try and "win" on some parameter in the
competition.  That enables us to more likely push the state of the
art, at least in one way.  Lyra2 wins in the Scrypt inspired category
in TMTO defense.  It pushed the state of the art.  TwoCats wins in the
Script inspired category for raw hashing speed per CPU (though I have
to define the Script inspired category carefully to exclude EARWORM :-)

I could go on for a while about how most entries tried to "win" on
some particular thing.  Yescrypt is the only entry with the audacity
to try and either win or place in them all.

Pretty much all of us can pick on Yescrypt for how it's not the best
at X, Y, or Z.  It's slower per CPU at hashing than TwoCats, and not
as TMTO resistant as Lyra2.  However, instead of optimizing *one*
aspect of defense over everything else, Yescrypt actually aims to
optimize *defense*.  If we measure the entries for their ability to
defend passwords, IMO, Yescrypt wins.  He has simultaneously optimized
at least 20 different dimensions of defense.

All that said, here's the positive list.  I dump on Yescrypt after
that, so keep reading...

I am stealing from the wiki here, but I did help write this :-)

- - High flexibility and large arsenal of defenses
- - Scalable to arbitrary SIMD vector width and instruction-level
parallelism
- - Optional TMTO resistance
- - Optional bcrypt-like GPU unfriendliness (especially important at low
memory usage settings)
- - Optional multiplication latency hardening (efficient at least on
common x86 and ARM CPUs)
- - Running time optimally tunable separately from memory usage and
parallelism
- - Capable of maxing out CPU, SIMD units, cache bandwidth, external
memory bandwidth, all simultaneously...

I have to go for now, so I'll put off the dumping on Yescrypt until
tomorrow, but you guys feel free to chime in!

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT/mmjAAoJEAcQZQdOpZUZxRkP/RXt7wDAtwl6zA8SYn46JxqN
yCTMNqlgBelvAiai4OLL8aTravmKl8pL458Og33pd4khebWaJ8qcg0FcVMHW0fbA
FiwRdRn4vxhEAaMhl4+x1bT1X0MmUVWPxAQmsAWt0oKW8RNmRCdIoGtLY8FiphcP
J0aDbhLM/okJK4a2998hF1tIQ5MPdjiQpBXV99Z8XXj6IbLww97riBt1KtivGOdu
G7htl+5HW4+b9CqX0J/R91C5J5BXlKtcHouhasGmFO844GN0Z0ydNw3CsoFSx9Jh
MfaEFoW89S3dX6GnwuiJaCi/RnSNT01sP2tD2oVtdimewmkUF4Mo7URAT1NKExbi
VgExJMl7KRwfflqzQnr8uqc4/lI4+64Xwl+v8ta6bImmxVJEpsLlsHOXxHynXRed
J9/XShhVFcEzGoZqO4aIg0m+x9+06T1HW0IIsMPKFm/1ugM8uDksnB7z52d0rFPB
OwLV9CSlD0LleTgkz9AQRg4AU+ZjVbEKv+d7M6T+R7fLOblZllPjZTmXfP2dA9++
Ki2pguUy/kinwu47d6KjPcfRL5SSggcWETrrlS9iwU358fCSDwdNMKICrrXq5riJ
HVWk7LEDyZlo7PV4B4YvfkjLLaCPFtIf57eM2+tnYoq5kWmI2oPsimhB8WdwHsIu
1LvUJ87ao2ER2BuOzzsS
=LYU6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists