jeffrey at goldmark.org
Fri Mar 13 14:29:58 EDT 2015
On Mar 13, 2015, at 8:43 AM, Solar Designer <solar at openwall.com> wrote:
> On Thu, Mar 12, 2015 at 10:57:47AM -0600, Jeffrey Goldberg wrote:
>> 2. Use SHA-512 in PBKDF2
>> This will make PBKDF2 resistant to GPU based cracking efforts.
>> Note that this is resistance to attacks using current, off-the-shelf,
>> hardware. It is only a short term solution.
> I think this wording is too strong. While I did and I continue to
> advocate SHA-512 over SHA-256 for this reason (when someone insists on
> PBKDF2 or the like anyway), the gap with recent attack implementations
> is narrower than it used to be.
Ah, so the term of this “short term solution” is already expiring.
> For sha512crypt vs. sha256crypt, it's
> down to ~2x:
Interesting. Thank you for that, Solar.
> And scrypt even at fairly low settings is likely somewhat stronger (or
> rather not-as-weak) against GPU attacks than PBKDF2-HMAC-SHA-512 at
> comparable low running time. Not at settings as low as Litecoin's 128 KB
> with r=1, but at settings like 2 MB with r=8, which is affordable in
OK. So I guess we return to the original question, does anyone know of
> BTW, given the wide availability of scrypt altcoin ASICs, some of which
> can handle higher N (this is known) but likely not higher r (this is a
> plausible guess, given the incentive model for those ASICs), and given
> the effect r has on scrypt speeds on GPU, I recommend that scrypt
> paper's recommended r=8 (rather than altcoins' typical r=1) be used.
> That's even when the original reason for using r=8 (reducing the
> frequency and thus performance impact of TLB misses, and allowing for
> some prefetching) does not apply, like it mostly does not with
> (Of course, someone may produce more capable scrypt ASICs.)
Indeed. As I said, in this race the attacker has more to gain from Moore’s
Law than the defender.
More information about the cryptography