| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAS2fgRdYX0D4ysX1u+HFZxC19TFVqQX4Y9ajdykXuDZOB0xdg@mail.gmail.com> Date: Fri, 24 Jul 2015 22:37:13 +0000 From: Gregory Maxwell <gmaxwell@...il.com> To: discussions@...sword-hashing.net Cc: Dmitry Khovratovich <khovratovich@...il.com>, Alex Biryukov - UNI <alex.biryukov@....lu> Subject: Re: [PHC] Argon2 improvement thread On Fri, Jul 24, 2015 at 2:00 PM, Dmitry Khovratovich <khovratovich@...il.com> wrote: > The motivations behind this new transformation are to reduce the parallelism > and that certain number of sequential S-box lookups slows down the > brute-force on GPU on some settings. An additional positive motivation would be making use of a greater portion of the defenders available resources (multiply units and L1 bandwidth); which is a direct increase in cost for an attacker with specalized equipment (or, as noted, equipment with sufficiently different architectures). Obviously this must be verified and weighed against the other considerations, though if the prior performance claims (with reduced round costs) hold it sounds like it would be a fairly sizable increase in total work performed for the complexity penality. I'm more skepcial about arguments about performance on particular architectures... future GPUs may continue to look more CPU like... but the argument about using more of the available resources is generic and increases attacker costs regardless of what future architectures do.
Powered by blists - more mailing lists