lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 4 Jul 2015 08:32:14 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: Memory-hard proof of work with fast verification (CPU Hash)

On Sat, Jul 4, 2015 at 3:56 AM, Bill Cox <> wrote:

> The code is coming along, though the idea is only a few of hours old.
> Maybe I'm too sleepy to think straight, but it seems to me that this is a
> nice upgrade to the various crypto-coin PoW that are trying to make use of
> memory-hard password hashing algorithms.  I'm too sleepy to see the flaws
> at the moment.  Do you guys see any in this outline?

I figured out one flaw: Yescrypt can already do this.  Fortunately for CPU
Hash, it seems like Yescrypt is unlikely to be selected as a winner :-/

Yescrypt can operate in this very-low RAM + very-high ROM mode already.
Not only that, but running on an authentication server, it would be wicked
fast.  As I've said before, password hashing alone is not enough.  No 1ms
algorithm can protect the median strength passwords we see out there.  Some
other secret key material is required.  A secret 1 TiB ROM in RAM on a
password authentication server sounds good to me.  Without Yescrypt as a
winner, I think we need a lot of other algorithms to cover it's use cases:

- A CPU-Hash-like algorithm for proof of work
- A PufferFish-like algorithm for low memory GPU-resistant server hashing
- A (fixed) EARWORM-like algorithm for ultra-fast and secure-ish password
authentication servers


Content of type "text/html" skipped

Powered by blists - more mailing lists