| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Sep 2015 07:52:50 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Defending passwords using the Radeon R9 Fury X
I wish had time to explore more along the path Steve Thomas started to
explore with Parallel. Yescrypt is already somewhat optimized for this use
case, but I would want to modify it to be as GPU friendly as possible,
which is not the case right now:
- Generate a 4 GiB file of random data, and download it to the card.
- Hash each password with 1ms of ROM data on the card. At 511 GB/s, the
card can do maybe 500-ish MiB in 1ms. This is almost 100X faster than any
CPU based single-thread algorithm. The on-chip state has to be as large as
the block-size. This was the only mistake I saw in EARWORM.
Any ASIC attack, as far as I can see, would have to keep the ROM data
external to the ASIC. What ATI did with this stacked die is insanely
expensive. Any ASIC that does not do this will be at a significant
disadvantage in terms of memory bandwidth. Even if they did develop a
stacked-die ASIC, it probably would only reduce power, not increase speed.
I do not see how a _realistic_ ASIC attack could significantly reduce the
cost per guess.
Ideally the ROM data is random and secret.
Bill
Content of type "text/html" skipped
Powered by blists - more mailing lists