| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <53FF6F44.9030403@larc.usp.br>
Date: Thu, 28 Aug 2014 15:04:52 -0300
From: Marcos Simplicio <mjunior@...c.usp.br>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Memory performance and ASIC attacks
On 28-Aug-14 14:23, Solar Designer wrote:
> On Thu, Aug 28, 2014 at 12:07:24PM -0400, Bill Cox wrote:
>> TwoCats and Yescrypt are the most ASIC attack resistant algorithms in
>> the competition for hash sizes of 32MiB and up.
>
> If so, why not for lower sizes as well? Do you mention this as the
> lower boundary just in case, since Pufferfish (and bcrypt, but it's not
> in PHC) might win at some really low sizes (perhaps way below 1 MiB)?
>
>> Lyra2 is a close
>> second, off by about 2X in my tests, only because Lyra2 does not have
>> a multi-threading option.
>
> Only 2x worse while completely lacking computation latency hardening?
> Are you sure it's safe to rely solely on memory latency and bandwidth?
> Previously, you were not so sure.
>
Well, there is no "multiplication hardening" or anything of the sort if
we assume that the underlying sponge is Blake2, but that is not strictly
the case: Lyra2 does not impose any restriction on what is the
underlying hash, as it was designed as a sponge-based wrapper around a
hash function. We did use Blake2 in our implementation, but any
iterative hash function would do the trick.
Notice that this characteristic can be considered good ("it is
flexible") or bad ("it transfers the burden of the choice to the user"),
depending on how you see it, so I cannot say that this is any kind of
advantage of Lyra2 over any other candidate.
BR,
Marcos.
Powered by blists - more mailing lists