Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 01 Jun 2015 13:37:14 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Interleaving of intrinsics

On 2015-05-31 11:19, magnum wrote:
> On 2015-05-30 04:55, Solar Designer wrote:
>> These are reasonable results for pbkdf2-hmac-sha512, but there's
>> something "wrong" for pbkdf2-hmac-sha256.  It is suspicious whenever
>> there's a performance regression for going from x1 to x2 interleaving,
>> but then a performance improvement at higher interleaving factors.  This
>> suggest there's some overhead incurred with interleaving, and it is
>> probably avoidable.
>
> Perhaps the para loops doesn't always unroll in sha256 and we end up
> with actual loops, as discussed below? The overhead would be less
> significant for higher paras.

Or perhaps as soon as we use interleaving, things like tmp[SIMD_PARA] 
end up being stack arrays? That should hurt a lot.

Actually, here's a bug we have: Using the wide loops as in SHA2, we 
don't need to use "tmp[i]" at all - we do fine with just "tmp". I tried 
this but there was very little difference (but to the better).

I tried changing MD4/5 and SHA1 to use fewer, wider loops similar to 
SHA2 and consequently use single temps instead of arrays. There was 
about 4% boost for MD4/MD5 but SHA1 got slightly worse. Why?

Nothing of this was very conclusive. I'm not sure what to make of it, 
but I'm committing it to a topic branch "intrinsics-loops" for now.


Here's a somewhat unrelated note: While MD4/5 just use the w[16] pad, 
SHA1 and SHA2 use w[80] internally. We handle this differently in all 
three: SHA1 keeps a sliding window of tmpR[16] and some EXPAND macros 
(Jim did this, for a 10% boost of Simon's original code that had w[80]). 
SHA256 seems to manage with just tmp1 and the R() macro. And SHA512 
actually use an expensive w[80]. This should be looked into. I'll have a 
peak at Alain's code again. Maybe SHA1 and SHA512 could do it more like 
SHA256 does it?

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.