lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150414123210.GA5330@bolet.org>
Date: Tue, 14 Apr 2015 14:32:10 +0200
From: Thomas Pornin <pornin@...et.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] winner selection

On Mon, Apr 13, 2015 at 09:13:48PM +0000, Marsh Ray wrote:
> I don't mind if we endorse other functions for special cases, as long
> as we are abundantly clear that they are endorsed only when used for
> their special semantics and are not to be considered alternative
> recommendations for the general case.

If we are talking about Makwa here, then I would like to make the
(possibly bold) claim that Makwa, without considering delegation, is an
acceptable replacement of bcrypt. More precisely, it has been reported
that using GPU is not worth it when trying to brute-force a bcrypt
hash; general-purpose CPU with a few kilobytes of RAM are a better
bargain for that job. My claim is that the same holds for Makwa.

I would really like to see this claim either confirmed or disproved by
people with expertise on GPU programming and access to recent GPU.


If the claim is confirmed, then Makwa is not completely a "special-case
function"; being a possible drop-in replacement for bcrypt (and, of
course, PBKDF2) qualifies as "general case" for me.


(I may even argue that a memory-hard function that gobbles up a gigabyte
of RAM does NOT qualifies as a drop-in replacement for bcrypt, because
it cannot be assumed that a given application that uses bcrypt will have
a spare gigabyte of RAM. In a similar way, bcrypt or PBKDF2 are not
drop-in replacements for a single MD5 since they -- by design -- use a
lot more CPU. This point really means that the notion of "general case"
is a matter of subtlety.)


	--Thomas Pornin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ