lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jul 2015 22:37:13 +0000
From: Gregory Maxwell <gmaxwell@...il.com>
To: discussions@...sword-hashing.net
Cc: Dmitry Khovratovich <khovratovich@...il.com>, Alex Biryukov - UNI <alex.biryukov@....lu>
Subject: Re: [PHC] Argon2 improvement thread

On Fri, Jul 24, 2015 at 2:00 PM, Dmitry Khovratovich
<khovratovich@...il.com> wrote:
> The motivations behind this new transformation are to reduce the parallelism
> and that certain number of sequential S-box lookups slows down the
> brute-force on GPU on some settings.

An additional positive motivation would be making use of a greater
portion of the defenders available resources (multiply units and L1
bandwidth); which is a direct increase in cost for an attacker with
specalized equipment (or, as noted, equipment with sufficiently
different architectures).  Obviously this must be verified and weighed
against the other considerations, though if the prior performance
claims (with reduced round costs) hold it sounds like it would be a
fairly sizable increase in total work performed for the complexity
penality.

I'm more skepcial about arguments about performance on particular
architectures... future GPUs may continue to look more CPU like... but
the argument about using more of the available resources is generic
and increases attacker costs regardless of what future architectures
do.

Powered by blists - more mailing lists