Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 04 Sep 2015 12:37:22 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: SHA-1 H()

On 2015-09-02 17:20, Solar Designer wrote:
> In simd-intrinsics.c we have:
>
> #if __XOP__
> #define SHA1_H(x,y,z)                               \
>      tmp[i] = vcmov((x[i]),(y[i]),(z[i]));           \
>      tmp[i] = vxor((tmp[i]),vandnot((x[i]),(y[i])));
> #else
> #define SHA1_H(x,y,z)                                       \
>      tmp[i] = vand((x[i]),(y[i]));                           \
>      tmp[i] = vor((tmp[i]),vand(vor((x[i]),(y[i])),(z[i])));
> #endif
>
> This is suboptimal in two ways:

TL;DR: The changes were good but made no big deal.

Pre and post 5916a57, here's Bull, OMP, complete list (of SHA formats 
that can run OMP):

$ ../run/relbench -v o2 n2 | grep Ratio | sort
Ratio:	0.95438 real, 0.95335 virtual	xsha, Mac OS X 10.4 - 10.6:Only one 
salt
Ratio:	0.96187 real, 0.96203 virtual	Raw-SHA512:Raw
Ratio:	0.98151 real, 0.98330 virtual	SSHA512, LDAP:Only one salt
Ratio:	0.98306 real, 0.99574 virtual	HMAC-SHA224:Many salts
Ratio:	0.98649 real, 0.98802 virtual	sapg, SAP CODVN F/G (PASSCODE):Many 
salts
Ratio:	0.98959 real, 0.99234 virtual	xsha512, Mac OS X 10.7:Only one salt
Ratio:	0.98996 real, 1.00000 virtual	Drupal7, $S$ (x16385):Raw

Manually re-testing Drupal7 (SHA-512) a couple of times shows it 
probably neither got a boost not a regression (or perhaps a very very 
slight boost: Same real speed, virtual boosted one (1) c/s - pretty much 
consistently).

Ratio:	0.99001 real, 0.99875 virtual	SybaseASE, Sybase ASE:Only one salt
Ratio:	0.99010 real, 0.99754 virtual	Blackberry-ES10 (101x):Raw
Ratio:	0.99010 real, 1.00000 virtual	Fortigate, FortiOS:Many salts
Ratio:	0.99050 real, 0.99650 virtual	LastPass, sniffed sessions:Only one 
salt
Ratio:	0.99055 real, 0.99534 virtual	LastPass, sniffed sessions:Many salts
Ratio:	0.99085 real, 1.00077 virtual	aix-ssha512, AIX LPA {ssha512}:Raw
Ratio:	0.99294 real, 0.99320 virtual	HMAC-SHA256:Many salts
Ratio:	0.99383 real, 0.99884 virtual	PBKDF2-HMAC-SHA256:Raw

Manually re-testing PBKDF2-HMAC-SHA256 a couple of times show neither 
boost nor regression.

Ratio:	0.99415 real, 0.99611 virtual	Blockchain, My Wallet (x10):Raw
Ratio:	0.99504 real, 0.99646 virtual	HMAC-SHA512:Only one salt
Ratio:	0.99594 real, 1.00429 virtual	Fortigate, FortiOS:Only one salt
Ratio:	0.99615 real, 0.99667 virtual	Raw-SHA512-ng:Raw
Ratio:	0.99617 real, 1.00486 virtual	Salted-SHA1:Only one salt
Ratio:	0.99625 real, 0.99634 virtual	xsha512, Mac OS X 10.7:Many salts
Ratio:	0.99913 real, 0.99918 virtual	SSHA512, LDAP:Many salts
Ratio:	1.00000 real, 0.97838 virtual	HMAC-SHA224:Only one salt
Ratio:	1.00000 real, 0.99748 virtual	RAR5:Raw
Ratio:	1.00000 real, 1.00000 virtual	aix-ssha256, AIX LPA {ssha256}:Raw
Ratio:	1.00000 real, 1.00000 virtual	HMAC-SHA512:Many salts
Ratio:	1.00000 real, 1.00000 virtual	keyring, GNOME Keyring:Raw
Ratio:	1.00000 real, 1.00000 virtual	mssql12, MS SQL 2012/2014:Many salts
Ratio:	1.00000 real, 1.00000 virtual	sha512crypt, crypt(3) $6$ 
(rounds=5000):Raw
Ratio:	1.00000 real, 1.00118 virtual	pwsafe, Password Safe:Raw
Ratio:	1.00000 real, 1.00142 virtual	PBKDF2-HMAC-SHA512, GRUB2 / OS X 
10.8+:Raw
Ratio:	1.00000 real, 1.00154 virtual	sha256crypt, crypt(3) $5$ 
(rounds=5000):Raw
Ratio:	1.00000 real, 1.00230 virtual	eCryptfs (65536x):Raw
Ratio:	1.00000 real, 1.00233 virtual	lp, LastPass offline:Raw
Ratio:	1.00000 real, 1.00233 virtual	rar, RAR3 (4 characters):Raw
Ratio:	1.00000 real, 1.00250 virtual	SybaseASE, Sybase ASE:Many salts
Ratio:	1.00143 real, 1.00143 virtual	tc_aes_xts, TrueCrypt AES256_XTS:Raw
Ratio:	1.00153 real, 1.00000 virtual	HMAC-SHA384:Many salts
Ratio:	1.00238 real, 1.00115 virtual	Raw-SHA256:Raw
Ratio:	1.00285 real, 0.99916 virtual	HMAC-SHA1:Only one salt
Ratio:	1.00286 real, 1.00286 virtual	tc_sha512, TrueCrypt AES256_XTS:Raw
Ratio:	1.00536 real, 1.01673 virtual	saph, SAP CODVN H (PWDSALTEDHASH) 
(SHA1x1024):Many salts
Ratio:	1.00539 real, 1.00566 virtual	Raw-SHA224:Raw
Ratio:	1.00587 real, 1.00583 virtual	Oracle12C:Raw
Ratio:	1.00897 real, 1.01051 virtual	RAKP, IPMI 2.0 RAKP (RMCP+):Only 
one salt
Ratio:	1.00931 real, 0.99772 virtual	7z, 7-Zip (512K iterations):Many salts
Ratio:	1.00965 real, 1.00000 virtual	Django (x10000):Raw
Ratio:	1.00981 real, 1.02342 virtual	keychain, Mac OS X Keychain:Raw
Ratio:	1.00996 real, 1.02035 virtual	mscash2, MS Cache Hash 2 (DCC2):Raw
Ratio:	1.00997 real, 0.99876 virtual	HMAC-SHA384:Only one salt
Ratio:	1.01000 real, 1.00000 virtual	Bitcoin:Raw
Ratio:	1.01001 real, 1.00000 virtual	Raw-SHA384:Raw
Ratio:	1.01005 real, 1.00457 virtual	HMAC-SHA256:Only one salt
Ratio:	1.01193 real, 1.01197 virtual	Salted-SHA1:Many salts
Ratio:	1.01314 real, 1.01314 virtual	Citrix_NS10, Netscaler 10:Many salts
Ratio:	1.01546 real, 1.01677 virtual	saph, SAP CODVN H (PWDSALTEDHASH) 
(SHA1x1024):Only one salt
Ratio:	1.01617 real, 1.01439 virtual	sha1crypt, NetBSD's sha1crypt:Raw
Ratio:	1.01626 real, 1.00000 virtual	cloudkeychain, 1Password Cloud 
Keychain:Raw
Ratio:	1.01628 real, 1.01764 virtual	xsha, Mac OS X 10.4 - 10.6:Many salts
Ratio:	1.01634 real, 1.01507 virtual	aix-ssha1, AIX LPA {ssha1}:Raw
Ratio:	1.01648 real, 1.01506 virtual	sxc, StarOffice .sxc:Raw
Ratio:	1.01661 real, 1.01036 virtual	sapg, SAP CODVN F/G (PASSCODE):Only 
one salt
Ratio:	1.01695 real, 1.02453 virtual	krb5-18, Kerberos 5 db etype 18:Raw
Ratio:	1.01699 real, 1.01871 virtual	krb5pa-sha1, Kerberos 5 AS-REQ 
Pre-Auth etype 17/18:Raw
Ratio:	1.01699 real, 1.02115 virtual	EFS:Raw
Ratio:	1.01818 real, 1.01938 virtual	STRIP, Password Manager:Raw
Ratio:	1.01858 real, 0.99275 virtual	7z, 7-Zip (512K iterations):Only 
one salt
Ratio:	1.01898 real, 1.02020 virtual	RAKP, IPMI 2.0 RAKP (RMCP+):Many salts
Ratio:	1.01924 real, 1.01681 virtual	dmg, Apple DMG:Raw
Ratio:	1.01924 real, 1.02404 virtual	OpenBSD-SoftRAID (8192 iterations):Raw
Ratio:	1.01935 real, 1.02062 virtual	EncFS:Raw
Ratio:	1.02013 real, 1.01613 virtual	LUKS:Raw
Ratio:	1.02058 real, 1.02058 virtual	ZIP, WinZip:Raw
Ratio:	1.02315 real, 1.02172 virtual	HMAC-SHA1:Many salts
Ratio:	1.02499 real, 1.02473 virtual	Office, 2007/2010/2013:Raw
Ratio:	1.02616 real, 1.02497 virtual	agilekeychain, 1Password Agile 
Keychain:Raw
Ratio:	1.02778 real, 1.02604 virtual	fde, Android FDE:Raw
Ratio:	1.03001 real, 1.01997 virtual	PBKDF2-HMAC-SHA1:Raw
Ratio:	1.03393 real, 1.03394 virtual	mssql12, MS SQL 2012/2014:Only one salt
Ratio:	1.03590 real, 1.03066 virtual	ODF:Raw
Ratio:	1.03826 real, 1.02821 virtual	Citrix_NS10, Netscaler 10:Only one salt
Ratio:	1.04312 real, 1.03429 virtual	wpapsk, WPA/WPA2 PSK:Raw

I think the summary makes very good sense in this case since only 
relevant formats were included:

Number of benchmarks:		82
Minimum:			0.95438 real, 0.95335 virtual
Maximum:			1.04312 real, 1.03429 virtual
Median:				1.00411 real, 1.00192 virtual
Median absolute deviation:	0.01072 real, 0.00599 virtual
Geometric mean:			1.00588 real, 1.00577 virtual
Geometric standard deviation:	1.01514 real, 1.01412 virtual

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.