lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Sep 2014 13:21:35 +0200
From: Thomas Pornin <pornin@...et.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] A review per day - skipping Makwa

On Thu, Sep 04, 2014 at 06:51:11AM -0400, Bill Cox wrote:
> However, Makwa does not replace either bcrypt or Scrypt.

Actually I'd love to see some ASIC comparisons between bcrypt and Makwa.
Bcrypt needs a 4 kB array, which means (roughly) 200000 transistors
(with SRAM). I am not sure how fast could a Makwa ASIC go, if it has
200000 transistors to work with (mostly to store some fast-multiplier
circuits); in other words, while I am quite convinced that an
ASIC-wielding attacker will get more Makwa per second for a given budget
than a CPU-based attacker, I am not sure that the boost will be greater
than what the same attacker could do against bcrypt.

In that sense, it is possible that Makwa actually fares no worse than
bcrypt against ASIC-powered attackers. This requires some investigations
(by people who grasp the particulars of ASIC design better than me).


Similarly, while I initially assumed that a GPU should also be quite
good at doing the kind of computations that Makwa relies on, benchmarks
I found (about RSA) seem to indicate that the picture is not that clear:
GPU being on par with CPU, but not substantially better.

The point of Makwa is to support delegation, but it is not inconceivable
that even without delegation, it still stands its ground decently,
sufficiently to be envisioned as a replacement for bcrypt even on
stand-alone systems. That's why I would really like to see people trying
to benchmark it under these terms as well.(*)


	--Thomas Pornin

(*) I expect Makwa to perform poorly on pure 32-bit systems, because
that's what you get with RSA. Big-integer multiplications really love
64x64->128 bits multiplications.

Powered by blists - more mailing lists