lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Jul 2015 01:38:53 +0200
From: Dmitry Khovratovich <>
To: "" <>
Subject: Re: [PHC] Bandwidth hardened algorithms?

I see your point. But don't you overestimate the ASIC cost? As there is little logic beyond the memory itself, the parallel chip can be as cheap as the 32 GB unit, i.e. 180$


> On 17 Jul 2015, at 00:16, Bill Cox <> wrote:
>> On Thu, Jul 16, 2015 at 2:40 PM, Bill Cox <> wrote:
>>> On Thu, Jul 16, 2015 at 11:59 AM, Dmitry Khovratovich <> wrote:
>> IAt the same time, a single CPU with 32 GiB of vanilla DRAM should do 2^22 hahes per second.
> I wish I could do arithmetic.  I should have said the CPU box could do 2.6 million hashes per second, roughly 13X slower than 8192 parallel ASICs.  Further, the ASIC system may be worth 13 times more than the CPU system (especially if power can be kept in check).  If the ASIC system costs around $3/ASIC, it would be around $24,000, compared to a comparable system made with 13 $400-ish bare CPU based miners, which might cost around $5,200.
> This seems like about a 3X-ish safety margin against a basic parallel attack.  I think this is good enough for now, because ASIC miner investors will want to see a at least a 3X advantage their way before they invest.  However, this margin can be traded-off with other parameters if needed.  For example, a 32 MiB Yescrypt hash for each ROM block would slow down and/or make the ASIC more expensive, with no significant impact on the CPU miners.  This would also slow down cell-phone verification by 4X.  Maybe that's OK, but I would prefer to keep the 4 MiB Yescrypt ROM blocks as my current guess for good parameters.
> I think the stronger ASIC attack is the one where each ASIC has it's own 32 GiB of memory.  If the CPU dominates the cost, a custom ASIC might make this a viable option.  It seems to depend on the relative cost of memory vs the CPU.  Right now, 32 GiB on NewEGG is $189 for desktop 1600MHz DDR3.  Pairing this with an Intel i5 3470 CPU at $205 seems like a reasonable fit.  Put it on an $80 motherboard, with a $30 power supply and it's around $500 in quantity 1.  If this is a reasonable CPU miner, then I don't see enough advantage in building custom ASICs.  It would only cost-reduce this system to at most 3/5-ths of the CPU miners.  Maybe the power savings would be enough to justify it, though.  The ASIC threat is still real.
> However, unless we start taking advantage of all the silicon on our CPUs, not just the memory cache and a  few arithmetic units, we wont be able to get near real parity with a high-volume advanced ASIC attack.  We can always throw out the unused parts of an Intel CPU and come up with a cheaper ASIC, in theory...
> Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists