lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jul 2015 10:46:06 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] Memory-hard proof of work with fast verification (CPU Hash)

On Sat, Jul 4, 2015 at 1:00 PM, Bill Cox <> wrote:

> On Sat, Jul 4, 2015 at 11:45 AM, Solar Designer <>
> wrote:
>> > With Yescrypt's further GPU defense, I think it would be fine.
>> Sure, but this makes your 512 MB ROM sort of irrelevant for GPU attacks.
>> They can have that 512 MB in their GPU card's RAM, and will run almost as
>> fast (for a trivial enhancement of scrypt) or just as slow (for yescrypt
>> with pwxform).
>> Alexander
> I guess I am more concerned about ASICs.  People still enjoyed LiteCoin
> mining with GPUs, but ASICs ruined the BitCoin party for a lot of people.
> I _think_ the ROM defends well against an ASIC attack.  So would
> mutiplication chains and the random small memory I/O operations.  However,
> an ASIC attack will probably run at it's I/O bandwidth to memory.

I suspect Alexander already knows how to build hardware to defeat the
memory-hardness of my proposed ROM defense:

Build a distributed ROM, where each of p ROM nodes has n/p ROM entries of
an n-entry ROM.  Build any sort of routing network you like from these p
ROM nodes to p hashing nodes.  The ROM data may have high latency through
that network, but you get on something around p/2 ROM reads per network
latency.  With high enough p, you defeat the memory-hardness property of
the defense.

So, I think we can't count on ROM to provide memory-hard defense.  As
Alexander said, it's shared, and that's the problem.

Worse, while I did not go into detail about it, I think neither Momentu nor
Cuckoo are memory-hard.  I'll post that to the meltzdown crypto-list.


Content of type "text/html" skipped

Powered by blists - more mailing lists