lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Aug 2014 19:28:39 -0400
From: Bill Cox <>
Subject: A review per day - Yescript

Hash: SHA1

Actually, I just realized that Yescript should have been first, not
Yarn.  Anyway, I have not bothered to review Yescrypt much, mostly
because I already know about it from discussions on this list.
Alexander has not had the benefit of the opportunity to defend
Yescript against my complaints :-)

Now, I have complaints against them all.  The perfect hashing scheme
simply is not possible.  I'll try to point out what bothers me about
TwoCats when I get there, but I hope you guys will chime in and
properly thrash it!

The positives for Yescript is a long list, as it is the most
feature-rich entry, and every feature was thought out with intense
care by Solar Designer.

Possibly the thing I like most is how the Yescrypt code is up there
with Samuel Neves' in terms of SIMD efficiency.  Blake2b is clearly
the most popular hash function among PHC entries, and being derived
from Daniel J. Bernstein's work is a big part of that, but I actually
credit Samuel Neves for the amazing SIMD efficiency that launched
Blake2b to it's dominant popularity here.  Solar Designer is the only
author here capable of holding his own with Samuel, IMO, when it comes
to SIMD efficiency.  Yescript's "parallel wide transform" is not
something I could have designed.  Probably Samuel could do it, but I
see no evidence that anyone else in this competition could beat the
the "PWX" function Alexander designed.

Most of us decided to try and "win" on some parameter in the
competition.  That enables us to more likely push the state of the
art, at least in one way.  Lyra2 wins in the Scrypt inspired category
in TMTO defense.  It pushed the state of the art.  TwoCats wins in the
Script inspired category for raw hashing speed per CPU (though I have
to define the Script inspired category carefully to exclude EARWORM :-)

I could go on for a while about how most entries tried to "win" on
some particular thing.  Yescrypt is the only entry with the audacity
to try and either win or place in them all.

Pretty much all of us can pick on Yescrypt for how it's not the best
at X, Y, or Z.  It's slower per CPU at hashing than TwoCats, and not
as TMTO resistant as Lyra2.  However, instead of optimizing *one*
aspect of defense over everything else, Yescrypt actually aims to
optimize *defense*.  If we measure the entries for their ability to
defend passwords, IMO, Yescrypt wins.  He has simultaneously optimized
at least 20 different dimensions of defense.

All that said, here's the positive list.  I dump on Yescrypt after
that, so keep reading...

I am stealing from the wiki here, but I did help write this :-)

- - High flexibility and large arsenal of defenses
- - Scalable to arbitrary SIMD vector width and instruction-level
- - Optional TMTO resistance
- - Optional bcrypt-like GPU unfriendliness (especially important at low
memory usage settings)
- - Optional multiplication latency hardening (efficient at least on
common x86 and ARM CPUs)
- - Running time optimally tunable separately from memory usage and
- - Capable of maxing out CPU, SIMD units, cache bandwidth, external
memory bandwidth, all simultaneously...

I have to go for now, so I'll put off the dumping on Yescrypt until
tomorrow, but you guys feel free to chime in!

Version: GnuPG v1


Powered by blists - more mailing lists