lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAOLP8p7Jz+ZtgPQHTxYq2KbM_FNMpKFbQZrCq+Q_P+GNJmROQw@mail.gmail.com>
Date: Fri, 28 Aug 2015 16:41:19 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Flaw in Argon2 TMTO ASIC analysis

On Fri, Aug 28, 2015 at 11:29 AM, Marsh Ray <maray@...rosoft.com> wrote:

> Perhaps we should keep an eye on the 3D chip stacking technology. It’s
> been discussed for many years, but is just recently starting to come
> online. https://www.bing.com/search?q=3d%20chip%20stack
>
>
>
> E.g. “the CMOSAIC project considers a 3D stack-architecture of multiple
> cores with a interconnect density from 100 to 10,000 connections per
> millimeter square” http://www.zurich.ibm.com/news/10/moore.html
>
>
>
> Seems like that could represent a pretty big jump in memory bandwidth.
>

This is just like the case above when the ASIC attacker has far more
available bandwidth than he can make use of.  It is also similar to the low
memory hashing case where it all fits on-chip.  The same defense applies:
compute time hardening with multiplication chains, and the ASIC attacker
will use the same techniques to get around it: a 2X TMTO, maybe interleave
multiple guesses if he has enough RAM, and optimized is ASIC size to find
the cost per guess sweet-spot.

It's nice to know there's now more than just bandwidth limiting an ASIC
attack against Argon2 :)  However, in the case of Argon2 with no
multiplication chains and a bandwidth limit of even 400GiB/s, the ASIC will
be heavily memory bandwidth limited.  Just using multiplication chains in
the Blake2 rounds doesn't help much, because of the 8-way parallelism in
the compression function.  The only serial multiplication chain is in the
Sbox code.

I read the compression and Sbox code carefully.  Very nice work, IMO.

Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ