| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Apr 2015 16:50:17 +0000 From: Gregory Maxwell <gmaxwell@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Compute time hardness (pwxform,blake,blamka) On Mon, Apr 6, 2015 at 4:09 PM, Marcos Simplicio <mjunior@...c.usp.br> wrote: > - Look-up tables (LUTs) are GPU-unfriendly operations, at least in > theory, but are in principle very fast in hardware. Sufficiently large LUTs are a kind of memory hardness, if accessed in a way that requires a lot of bandwidth and limited latency they can be a fair bit costly in hardware. Really what an approach that uses a LUT is doing is making more use of the total available hardware. Current CPUs have super fast caches and enough muxing width to get relatively cheap fully random access to them, and pipelines that can hide the latency of using them. You can make some LUT lookups without basically slowing down anything else. In doing so you use more of the hardware that the defender already has, and force the attacker to spend more on including it. So as a general principle, If a defender has a resource that you can use, you should use it to whatever extent you can without losing access to their other resources. Doing so tends to maximizes the costs for attackers. I'm not sure if anyone has any concrete estimates what huge s-box costs in hardware look like. They're straight forward at least, but they do soak up some area, esp if you need very high bandwidth access to them.
Powered by blists - more mailing lists