| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <540B47B3.2070206@ciphershed.org> Date: Sat, 06 Sep 2014 13:43:15 -0400 From: Bill Cox <waywardgeek@...hershed.org> To: discussions@...sword-hashing.net Subject: Re: [PHC] A review per day - Lyra2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To finish some benchmarks, here's Lyra2 hashing 1GiB with one wandering pass (t_cost == 1): PHC> time ./phs-lyra 1 174762 Allocated 1073737728 bytes 4b ac 00 17 af 96 a3 66 f2 1a 6a 03 92 6a 9a 23 54 11 10 f0 1a bd c6 56 ea 09 e3 29 c0 00 b7 cb 32 (octets) real 0m0.701s user 0m0.629s sys 0m0.072s And here's 4MiB: PHC> time ./phs-lyra 1 682 Allocated 4190208 bytes 2e fe 7c d3 08 9b 48 f0 fc 2a ae 8b f4 d7 16 2a f1 80 f7 6a 98 22 78 fe 0e 24 6e aa d6 3a 93 d9 32 (octets) real 0m0.004s user 0m0.003s sys 0m0.001s For comparison, I just measured hashing 1GiB on one thread with TwoCats: time ./phs-twocats 0 20 95 70 17 bc 36 38 29 9b 31 ef 6c 22 33 63 c5 b1 ad d1 15 c8 e9 a0 fa 8c 49 11 f8 84 84 5f 05 40 32 (octets) real 0m0.240s user 0m0.179s sys 0m0.061s This difference is speed is mostly due to Lyra2 doing more reads and writes than TwoCats, and somewhat due to latency in the Blake2b hash function. Lyra2 has the 3rd best single-threaded performance I've measured after TwoCats and Yescrypt. It's not actually this runtime that makes the most difference, since we have extra cores that could help out and lower these numbers. It is the extra reads and writes to the same memory location significantly lowers Lyra2's memory*time defense. For an ASIC attack that allocates all the memory up-front, TwoCats would have what looks like a 3X-ish memory*time advantage. That means my ASIC attack will probably need only 1/3 the memory of a TwoCats or Yescrypt attack. And... Lyra2 passes the Dieharder tests :-P Don't everyone be shocked at once! I ran the internal memory at the end of hashing and only one wondering pass. Final thoughts... Lyra2 is solid. I do not like the extra reading and writing that Lyra2 does to win in the TMTO category. I think it loses too much in the time*memory defense category as a result. This is the primary reason I put Lyra2 3rd on my list of Scrypt replacement contenders. However, if the judges feel TwoCats and Yescrypt are too complex, Lyra2 is still a solid entry. I would not feel upset about Lyra2 being chosen over TwoCats and Yescrypt. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUC0evAAoJEAcQZQdOpZUZRJsP/jcpEUGdsH1wyBdY5t1vnUjY xQ1e9RRJsYOHkEfn8eA4j890TohUJS8SRu5pdw86/unvuGM1Lv/r8xkUr06qhX59 kXR3GFwPr6Qy+m/Id3fQGsjrb4ysSZlW4b/d+GtpfTuPxvLKk5UGpwEviikiijic 399pt/x0YqHi2Vz0sDRtvWZV3AUTcTEOEyFfBJbvPuzaSyIQFtUHFLLEImuZ4vu2 i/tV0GEIX7N/ZiJSq6DB3ak6fbcr4aDsB8Ul3fJQCAEnM2OzCwOYHlAvj/E0Ypwz 58SjeQJXWMtDPlZbNW5mnAWCdmYCqryBoveaJmmWRq8RVadBFdsOzeQTulPyKBTC 4sWbuMaqbJm03IbM8JGmZeLnQ8lS5YXKyto7DKrCN336TdeH633D3chSYhsFX6vD V6mE2ofY5ro3mZHakWNABeB2/KzcnrLigpDFbA8Qbd0dF7kmElLSyNtuV5a/YLzE 2kXEv93ud8aEVd5h4qi1R7X5VnxW1uWY+8VicrZu8cXdMOxlB3Vc+5rd7RyUiBPU K5M7yLaYGcZkCcVRrbG4HGbWIJgNLgQpS/7JIN+nSFxA7189mreyWnKgvKdjr1zB f7HJUanOBFWGG5kTW6dhoy77Wgszkv4x22fZGQ2tgE2WJyIHxGJCJ5uHjNiRwlWb WBu6rTGakTxAJ+IgdttV =r6WR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists