lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 15 Apr 2015 02:19:00 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] yescrypt throughput vs. PWXrounds

On Fri, Apr 03, 2015 at 11:11:18PM +0300, Solar Designer wrote:
> On Fri, Apr 03, 2015 at 09:05:59PM +0300, Solar Designer wrote:
> > rounds  2 MB            128 MB          2 MB + 2 GB ROM
> > 6       2772 / 511      30 / 7          2592 / 486
> > 4       3653 / 691      32 / 9          3269 / 647
> > 2       5340 / 1077     33 / 13         4288 / 974
> > 1       6454 / 1451     33 / 15         4760 / 1255
> [...]
> > [...] claim that yescrypt achieves bcrypt-like frequency(*) of its
> > S-box lookups and thus is at least as GPU-unfriendly as bcrypt even at
> > the lowest m_cost settings.  Would being no more than 2x worse than
> > bcrypt still be OK?  I'm not sure.  I would be uncomfortable about that,
> > even though bcrypt isn't one of the PHC finalists. ;-)
> > 
> > (*) Also considered are parallelism of the S-box lookups and total size
> > of the S-boxes.
> 
> One way to compensate for the reduced number of rounds in terms of
> bcrypt-like anti-GPU is to double the size of the S-boxes.  With the
> S-boxes doubled from 8 KB to 16 KB, and PWXrounds = 2, I get 4212
> hashes/second instead of the 5340 hashes/second in the table above.
> This gives 2772*6 / (4212*2) = 1.97 reduction in compute hardening, but
> 2772*6 / (4212*2*2) = 0.99 almost no change in bcrypt-like anti-GPU,
> both compared to the current defaults of 8 KB and 6 rounds.

This is as it relates to local memory attacks.  For global memory
attacks (where 16 KB is just as negligible), there is a reduction in
anti-GPU in the 16 KB test above.

> So it is possible to retain bcrypt-like anti-GPU at lower PWXrounds, but
> I am not happy about the almost 2x reduction in compute hardening.  And
> the speedup achieved with the reduced PWXrounds is less, because some of
> it is lost to L1 cache misses on the S-box lookups.  16 KB is a bit too
> large since we have other data as well (current block being processed).
> IIRC, the impact on Intel CPUs is less, though.
> 
> At 128 MB, PWXrounds = 2 with 16 KB S-boxes gives 31 / 11, as compared
> to 33 / 13 in the table above (for 8 KB S-boxes).

Alexander

Powered by blists - more mailing lists