| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Apr 2015 22:41:47 +0300 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] yescrypt throughput vs. PWXrounds On Fri, Apr 03, 2015 at 09:05:59PM +0300, Solar Designer wrote: > rounds 2 MB 128 MB 2 MB + 2 GB ROM > 6 2772 / 511 30 / 7 2592 / 486 > 4 3653 / 691 32 / 9 3269 / 647 > 2 5340 / 1077 33 / 13 4288 / 974 > 1 6454 / 1451 33 / 15 4760 / 1255 [...] > When much of the RAM portion fits in a cache, there's significant > speedup from lower PWXrounds, even when running 8 threads. However, the > speedup is not enough to keep the compute hardening per time the same. > For example, 2772*6 / (3653*4) = 1.14, but 6/4 = 1.5, and > 2772*6 / (5340*2) = 1.56, but 6/2 = 3. So going for PWXrounds = 2 would > halve the compute hardening per time. For a moment, I forgot what I was calculating here, and used the wrong figures to arrive at "would halve the compute hardening per time". Actually, 2772*6 / (5340*2) = 1.56 is the reduction in compute hardening (and in frequency of S-box lookups), and it's not exactly that bad. For going from 6 to 4 rounds, the reduction in compute hardening is only 2772*6 / (3653*4) = 1.14. It would actually be worse for the larger memory usage and many threads case, with e.g. 30*6 / (33*2) = 2.73 times reduction in compute hardening when going from 6 rounds to 2, yet achieving only 10% defensive speedup. Alexander
Powered by blists - more mailing lists