lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Aug 2014 15:04:52 -0300
From: Marcos Simplicio <>
Subject: Re: [PHC] Memory performance and ASIC attacks

On 28-Aug-14 14:23, Solar Designer wrote:
> On Thu, Aug 28, 2014 at 12:07:24PM -0400, Bill Cox wrote:
>> TwoCats and Yescrypt are the most ASIC attack resistant algorithms in
>> the competition for hash sizes of 32MiB and up.
> If so, why not for lower sizes as well?  Do you mention this as the
> lower boundary just in case, since Pufferfish (and bcrypt, but it's not
> in PHC) might win at some really low sizes (perhaps way below 1 MiB)?
>> Lyra2 is a close
>> second, off by about 2X in my tests, only because Lyra2 does not have
>> a multi-threading option.
> Only 2x worse while completely lacking computation latency hardening?
> Are you sure it's safe to rely solely on memory latency and bandwidth?
> Previously, you were not so sure.

Well, there is no "multiplication hardening" or anything of the sort if
we assume that the underlying sponge is Blake2, but that is not strictly
the case: Lyra2 does not impose any restriction on what is the
underlying hash, as it was designed as a sponge-based wrapper around a
hash function. We did use Blake2 in our implementation, but any
iterative hash function would do the trick.

Notice that this characteristic can be considered good ("it is
flexible") or bad ("it transfers the burden of the choice to the user"),
depending on how you see it, so I cannot say that this is any kind of
advantage of Lyra2 over any other candidate.



Powered by blists - more mailing lists