lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 03 Sep 2014 14:32:31 -0400
From: Bill Cox <>
Subject: Re: [PHC] Re: Tradeoff cryptanalysis of password hashing schemes

Hash: SHA1

On 09/03/2014 11:52 AM, Marcos Simplicio wrote:
> Just to be precise: in Lyra2 the blocks are just as huge or small
> as you want them to be, since C (the number of columns per row) is
> a user-defined parameter... In other words, it can be made as 
> cache-bounded as the user wants (be it a bad or a good thing)

Which is awesome.  This is also true in Yescrypt and TwoCats.  I
forget if there are others that have a cache-delay mitigation, but I
consider it critical for any potential Scrypt replacement.

> Once Lyra2 is multi-threaded, it should easily max out the
>> external memory bandwidth.  My high-end ASIC attack would not
>> benefit from a 1/2 TMTO against a multi-threaded Lyra2, because
>> it will be memory bandwidth limited against Lyra2, doing about
>> 32X faster than my Ivy Bridge PC (12GiB/s banwidth for my PC vs
>> 16X24GiB/s for my ASIC).
>> I would prefer some better compute-time hardening in Lyra2
>> though, for protection of very small memory hashes that do fit on
>> an ASIC.
> Since the latest discussions on the matter, I have been thinking
> more seriously about testing a "multiplication hardened"
> underlying permutation in Lyra2's sponge. There are some
> cryptographic schemes that do use multiplications in their designs,
> so we will probably start there...

Please feel free to add multiplication chains.  I would feel better
about cache bound hashing ASIC hardness if they were there.  However,
with the speeds Lyra2 and Yescript run the SIMD units, you already
have decent ASIC compute time hardness based on cache bandwidth and
latency.  I would be very surprised to get a 10X speedup.  All three
of my favorite Scrypt-like algorithms hammer the cache interfaces
pretty hard.  PufferFish does, too.

On the other hand, some of the Catena-like entries can be sped up over
1000X in an ASIC attack.  Any attempt at ASIC hardening would be very
nice there, multiplication chain or otherwise.  However, I'd recommend
a Lyra2-like reduced Blake2b hash first.  I have to credit the RIG
guys for getting that part right.  That alone should put them
performance-wise at the head of the Catena-like pack.

When I get to Lyra2, I'll describe what I think an ASIC attack might
look like for both cache-bound and large memory hashes.  It will be
interesting to see if you need multiplication chains, given the SIMD
optimized hashing you already have.

Version: GnuPG v1


Powered by blists - more mailing lists