lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOLP8p4KOkasgoBJnz9+UDwVGaGD2vE+dj=hK+SjVrWPE16q7Q@mail.gmail.com>
Date: Fri, 28 Aug 2015 09:52:45 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Flaw in Argon2 TMTO ASIC analysis

On Fri, Aug 28, 2015 at 6:48 AM, Dmitry Khovratovich <khovratovich@...il.com
> wrote:

> If the ASIC running time is about the same as for CPU (which is reasonable
> to expect), then the bandwidth would be about 20-50 GB/sec, so it can grow
> by the factor 4-8 without affecting running time.
>
> This is the main reason I want to use the new MAXFORM feature in Argon2.
Without MAXFORM, I estimate an attacker can make use of 320 GiB/s of
bandwidth without being computation speed limited.  With MAXFORM, I
estimate he can make use of only 40 GiB/s before hitting the computation
speed wall.

That 8x free parallelism in Argon2's compression function is my least
favorite thing about Argon2.  MAXFORM fixes it, while providing GPU
resistance and more.

Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ