[cryptography] Current state of brute-forcing random keys?

Solar Designer solar at openwall.com
Thu Jun 9 15:35:21 EDT 2011

On Thu, Jun 09, 2011 at 08:11:00PM +0100, Paul Crowley wrote:
> We know *lots* about how fast SHA-256 can be run because of its use in 
> BitCoin:
> https://en.bitcoin.it/wiki/Mining_hardware_comparison

Right.  We also know that it is very GPU-friendly, so if we expect
attackers with GPUs but maybe not with custom hardware (FPGA, ASIC), we
could want to stay away from SHA-2 family functions and use something
like Blowfish (Eksblowfish, bcrypt) in the KDF instead.  Or use scrypt,
which is GPU-unfriendly because of its memory size and bandwidth needs.

On Blowfish being GPU-unfriendly:


On the other hand, if the application itself can have access to a GPU,
but not to FPGA/ASIC, do use SHA-256 (or similar) and include lots of
parallelism in your custom KDF (to fully use the GPU and thus not let
the attacker benefit from having more parallelism, which they do have).


P.S. We actually have a related project going on right now, focusing on
password hashing on FPGA boards in authentication servers (for use by
companies with large user:passwordhash databases).  I might post about
this one separately.

More information about the cryptography mailing list