lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Jul 2015 15:16:53 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] Bandwidth hardened algorithms?

On Thu, Jul 16, 2015 at 2:40 PM, Bill Cox <> wrote:

> On Thu, Jul 16, 2015 at 11:59 AM, Dmitry Khovratovich <
>> wrote:
>> IAt the same time, a single CPU with 32 GiB of vanilla DRAM should do
> 2^22 hahes per second.

I wish I could do arithmetic.  I should have said the CPU box could do 2.6
million hashes per second, roughly 13X slower than 8192 parallel ASICs.
Further, the ASIC system may be worth 13 times more than the CPU system
(especially if power can be kept in check).  If the ASIC system costs
around $3/ASIC, it would be around $24,000, compared to a comparable system
made with 13 $400-ish bare CPU based miners, which might cost around $5,200.

This seems like about a 3X-ish safety margin against a basic parallel
attack.  I think this is good enough for now, because ASIC miner investors
will want to see a at least a 3X advantage their way before they invest.
However, this margin can be traded-off with other parameters if needed.
For example, a 32 MiB Yescrypt hash for each ROM block would slow down
and/or make the ASIC more expensive, with no significant impact on the CPU
miners.  This would also slow down cell-phone verification by 4X.  Maybe
that's OK, but I would prefer to keep the 4 MiB Yescrypt ROM blocks as my
current guess for good parameters.

I think the stronger ASIC attack is the one where each ASIC has it's own 32
GiB of memory.  If the CPU dominates the cost, a custom ASIC might make
this a viable option.  It seems to depend on the relative cost of memory vs
the CPU.  Right now, 32 GiB on NewEGG is $189 for desktop 1600MHz DDR3.
Pairing this with an Intel i5 3470 CPU at $205 seems like a reasonable
fit.  Put it on an $80 motherboard, with a $30 power supply and it's around
$500 in quantity 1.  If this is a reasonable CPU miner, then I don't see
enough advantage in building custom ASICs.  It would only cost-reduce this
system to at most 3/5-ths of the CPU miners.  Maybe the power savings would
be enough to justify it, though.  The ASIC threat is still real.

However, unless we start taking advantage of all the silicon on our CPUs,
not just the memory cache and a  few arithmetic units, we wont be able to
get near real parity with a high-volume advanced ASIC attack.  We can
always throw out the unused parts of an Intel CPU and come up with a
cheaper ASIC, in theory...


Content of type "text/html" skipped

Powered by blists - more mailing lists