lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Apr 2015 21:57:11 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Compute time hardness

On Wed, Apr 01, 2015 at 07:12:24PM +0100, Samuel Neves wrote:
> You can certainly do the n^2 ANDs and add things up, but that seems like a waste of gates. What is the cost metric being
> considered here? Time (circuit depth)? Area? Time * Area?

Time (circuit depth).  We're using MULs for latency hardening, so our
worst case attacker would optimize for lower latency.

> As a theoretical curiosity, Brent and Kung [1] came up with an optimal area-time n-bit multiplier of depth O(n^(1/2) log
> n) and area O(n log n). Melhorn-Preparata's [2] circuit would be O(log n), O(n^2 / log n).

Thanks.

> The above would be (asymptotically) depth O(log n) and area O(n^2).

Right.

> [1] http://maths-people.anu.edu.au/~brent/pub/pub055.html
> [2] http://www.sciencedirect.com/science/article/pii/S0019995883800618

Alexander

Powered by blists - more mailing lists