lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Apr 2015 16:50:17 +0000
From: Gregory Maxwell <>
Subject: Re: [PHC] Compute time hardness (pwxform,blake,blamka)

On Mon, Apr 6, 2015 at 4:09 PM, Marcos Simplicio <> wrote:
> - Look-up tables (LUTs) are GPU-unfriendly operations, at least in
> theory, but are in principle very fast in hardware.

Sufficiently large LUTs are a kind of memory hardness,  if accessed in
a way that requires a lot of bandwidth and limited latency they can be
a fair bit costly in hardware.

Really what an approach that uses a LUT is doing is making more use of
the total available hardware.

Current CPUs have super fast caches and enough muxing width to get
relatively cheap fully random access to them,
and pipelines that can hide the latency of using them.

You can make some LUT lookups without basically slowing down anything
else. In doing so you use more of the hardware that the defender
already has, and force the attacker to spend more on including it.

So as a general principle, If a defender has a resource that you can
use, you should use it to whatever extent you can without losing
access to their other resources. Doing so tends to maximizes the costs
for attackers.

I'm not sure if anyone has any concrete estimates what huge s-box
costs in hardware look like. They're straight forward at least, but
they do soak up some area, esp if you need very high bandwidth access
to them.

Powered by blists - more mailing lists