4

Is the availability of these miners a reason to favor bcrypt (or something else) over scrypt?

I mean, the goal of a password hash function is to maximize the work needed for an attacker to break a hash through brute force, dictionary or whatever, while minimizing the work needed for legitimite use. If the attacker can calculate hashes at many times the speed of the server, there is a weakness.

ASIC miners for scrypt-based cryptocurrencies are very efficient at calculating scrypt hashes, and most servers don't use cryptocurrency mining hardware to speed up password hashing.

Is it a problem that the attacker has access to good mining hardware?

Filip Haglund
  • 1,593
  • 1
  • 11
  • 20
  • 1
    What is it you are asking? I can't figuree out your question. It may be that it is more on topic at either our bitcoin or crypto sites. – Rory Alsop Oct 17 '14 at 11:50

3 Answers3

8

The theory of password hashing is that the whole problem is an arms race between attacker and defender. The password hashing function (bcrypt, scrypt...) is made deliberately slow, as much as the defender can tolerate on his hardware. We assume that the attacker can buy the same kind of hardware as the defender, so he can always be at least as efficient as the defender. The hope of the attacker is that he can buy or build specialized hardware that will be able to compute more hashes for the same budget.

Machines specialized for mining coins based on scrypt are inherently good news for the attacker, because such machines make sense only if they do more scrypts per second than a basic PC of the same price. However, this does not necessarily translate to an actual attack model, notably because scrypt is a highly configurable function (both RAM usage and CPU cost can be set) and the combinations for which the miners are optimized do not necessarily match what was used to hash passwords on a given server. The crucial property is how much the mining hardware can be re-purposed for other scrypt parameters.

Another important point is that bcrypt is known to be "more easily broken" with FPGA-based hardware (newer FPGA contain embedded RAM blocks that are very interesting for implementing bcrypt -- each bcrypt instance only needs 4 kB of RAM). Thus, even assuming that the mining ASIC can speed up the attacker, it is unclear whether it will speed him up more than what he can get with FPGA against bcrypt.

You have to remember that password hashing is a problem that spans cryptography, engineering and economics. You must take all these aspects into account if you want to reach a decision.

(Also, scrypt was designed and optimized for a rather specific case, namely password-based encryption of hard disks. This is a usage scenario that is quite different from a Web server authenticating users; when hashing the master password for your laptop hard disk, the system can take a few seconds worth of CPU, and may use gigabytes of RAM. Using scrypt on an authentication server implies moving the parameters out of this zone.)

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
3

There's three different password hashing algorithms being discussed here:

| Algorithm | Cryptographic primitive | Crypto-currency that uses it| Miner speed   | 
|-----------|-------------------------|-----------------------------|---------------|
| PBKDF2    | SHA-256                 | Bitcoin uses SHA-256        | 7 Thash/sec   |
|           |                         |                             |               | 
| Bcrypt    | Whirlpool cipher        | (none)                      | n/a           |
|           | with 4kB key setup      |                             |               |
|           |                         |                             |               |
| Scrypt    | Salsa/20 BlockMix       | LiteCoin                    | 100 Mhash/sec |

The difficulty of hashing comes from how much memory has to be accessed.

  • SHA-256 is meant to be fast. It uses little memory
  • BCrypt's expensive key setup randomly uses 4KB of memory while it sets up the key
  • In litecoin, the scrypt paramters of N=1024, r=1, p=1 causes scrypt to require 128 * 1 * 1024 = 128 KB of memory

An important point is that these ASIC miners are dedicated to litecoin, and to those specific LitCoin scrypt parameters. That means that you, using the default scrypt parameters:

  • N=16,384, r=8, p=1

require:

  • 128 * 8 * 16384 = 16 MB

Using some rough math, based on experience with scrypt, with those real-world password parameters, one of those expensive boxes would be able to do:

6,100 hash/s = 0.006 Mhash/s

Five orders of magnitude slower; but still a concern. My lone Intel i5-2500 can do 5 hash/sec with those parameters. That custom hardware is over 1,000x faster.

Ideally your scrypt is tuned so that it takes about 500ms on your hardware. On my hardware that is accomplished with:

  • N=2^15 = 32768
  • r=9
  • p=1

For a memory footprint of 36 MB. For one of the miners, it would be able to do 1,205 hash/s - 200 times faster than my lone PC.

tl;dr: You do have to worry about miners. Fortunately correct horse battery staple keeps your passwords out of reach of everyone.

Ian Boyd
  • 2,125
  • 1
  • 21
  • 13
1

You question is strange. ASICs affecting security? No, they are not.

On the other hand, ASICs will create an enormous advantage for those using them. That's why CPU/GPU Bitcoin mining is unprofitable today, as the ASICs have way more performance and uses less power.

ASICs are relatively cheap, draws less power, are pretty fast, but they generally don't have lots of RAM. So some crypto currencies favored the use of other hashing schemes where a lot of RAM is needed, making very hard to an ASIC to gain such a huge advantage over ordinary computers.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142