lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOLP8p48FLzmdLZwiheKhOgsVn7MUTXeM0EE=+o98DQ9qAqpvQ@mail.gmail.com>
Date: Sun, 6 Sep 2015 07:52:50 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Defending passwords using the Radeon R9 Fury X

I wish had time to explore more along the path Steve Thomas started to
explore with Parallel.  Yescrypt is already somewhat optimized for this use
case, but I would want to modify it to be as GPU friendly as possible,
which is not the case right now:

- Generate a 4 GiB file of random data, and download it to the card.
- Hash each password with 1ms of ROM data on the card.  At 511 GB/s, the
card can do maybe 500-ish MiB in 1ms.  This is almost 100X faster than any
CPU based single-thread algorithm.  The on-chip state has to be as large as
the block-size.  This was the only mistake I saw in EARWORM.

Any ASIC attack, as far as I can see, would have to keep the ROM data
external to the ASIC.  What ATI did with this stacked die is insanely
expensive.  Any ASIC that does not do this will be at a significant
disadvantage in terms of memory bandwidth.  Even if they did develop a
stacked-die ASIC, it probably would only reduce power, not increase speed.
I do not see how a _realistic_ ASIC attack could significantly reduce the
cost per guess.

Ideally the ROM data is random and secret.

Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ