lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 06 Sep 2014 13:43:15 -0400
From: Bill Cox <>
Subject: Re: [PHC] A review per day - Lyra2

Hash: SHA1

To finish some benchmarks, here's Lyra2 hashing 1GiB with one
wandering pass (t_cost == 1):

PHC> time ./phs-lyra 1 174762
Allocated 1073737728 bytes

4b ac 00 17 af 96 a3 66
f2 1a 6a 03 92 6a 9a 23
54 11 10 f0 1a bd c6 56
ea 09 e3 29 c0 00 b7 cb      32 (octets)

real	0m0.701s
user	0m0.629s
sys	0m0.072s

And here's 4MiB:

PHC> time ./phs-lyra 1 682
Allocated 4190208 bytes

2e fe 7c d3 08 9b 48 f0
fc 2a ae 8b f4 d7 16 2a
f1 80 f7 6a 98 22 78 fe
0e 24 6e aa d6 3a 93 d9      32 (octets)

real	0m0.004s
user	0m0.003s
sys	0m0.001s

For comparison, I just measured hashing 1GiB on one thread with TwoCats:

time ./phs-twocats 0 20

95 70 17 bc 36 38 29 9b
31 ef 6c 22 33 63 c5 b1
ad d1 15 c8 e9 a0 fa 8c
49 11 f8 84 84 5f 05 40      32 (octets)

real	0m0.240s
user	0m0.179s
sys	0m0.061s

This difference is speed is mostly due to Lyra2 doing more reads and
writes than TwoCats, and somewhat due to latency in the Blake2b hash
function.  Lyra2 has the 3rd best single-threaded performance I've
measured after TwoCats and Yescrypt.

It's not actually this runtime that makes the most difference, since
we have extra cores that could help out and lower these numbers.  It
is the extra reads and writes to the same memory location
significantly lowers Lyra2's memory*time defense.  For an ASIC attack
that allocates all the memory up-front, TwoCats would have what looks
like a 3X-ish memory*time advantage.  That means my ASIC attack will
probably need only 1/3 the memory of a TwoCats or Yescrypt attack.

And... Lyra2 passes the Dieharder tests :-P  Don't everyone be shocked
at once!  I ran the internal memory at the end of hashing and only one
wondering pass.

Final thoughts... Lyra2 is solid.  I do not like the extra reading and
writing that Lyra2 does to win in the TMTO category.  I think it loses
too much in the time*memory defense category as a result.  This is the
primary reason I put Lyra2 3rd on my list of Scrypt replacement
contenders.  However, if the judges feel TwoCats and Yescrypt are too
complex, Lyra2 is still a solid entry.  I would not feel upset about
Lyra2 being chosen over TwoCats and Yescrypt.

Version: GnuPG v1


Powered by blists - more mailing lists