Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 23 Mar 2011 14:38:26 +0300
From: Solar Designer <>
Subject: Re: GSOC - GPU for hashes

Hi Thomas,

I'm sorry for the delay in responding to you specifically.  I assume
that you've read other messages in the thread, which might address some
of your would-be questions.

On Sun, Mar 20, 2011 at 07:14:18PM +0100, Thomas Bertani wrote:
> In the past I have used CUDA as a way to speed up the dtw algorithm
> computation and now I'm really interested in the following tasks:
> - GPU for slow hashes
> - GPU for fast hashes
> Actually CUDA is still the best way to do gpgpu as openCL is a much younger
> project so CUDA is more mature. However also using openCL could be a choice
> to consider.

Sounds fine.  Another thing to consider is that, quoting Marc Bevand,
current "AMD GPUs are roughly 2x-3x faster than Nvidia GPUs on ALU-bound

Low-level stuff, which we'll need for bitslice DES too (the BFI_INT
instruction will be important for implementing DES S-boxes):

Comparison of different GPUs:

Yet I am fine with us starting with CUDA.  It may very well be the easy
first step that we need to take.

> Is there any further step I can do to go deep into the gpgpu related tasks?

I suggest that you try to implement one of the slow hashes and have JtR
use it.  This can be any one of the Unix crypt(3) flavors, MSCash2
(perhaps just the PBKDF2 portion of it, leaving the rest for CPU), or
phpass "portable" hashes.

MD5-based crypt(3) and phpass "portable" hashes are easy targets.

DES-based crypt(3) is harder to implement efficiently, although we'll
need to do it (bitslice, of course).

PBKDF2 should be easy and efficient, whereas Blowfish is apparently
hard/unreasonable to implement on GPUs at this time:

This means that if you want an easy first target, MSCash2 is a better
choice than Blowfish-based crypt(3).  And we'll have other uses for
PBKDF2 (also WPA, FileVault, keychain to name some popular requests).

For info on MSCash2, see:
and a newer revision of the code in 1.7.6-jumbo-12.

SHA-crypt should be easy for the SHA-256 based flavor of it, but harder
for the SHA-512 based one (64-bit operations, which I guess you will
need to split into pairs of 32-bit ones, with carry? or do bitslice).
The SHA-512 based flavor is far more common (and thus more important for
us to support well).

Please let me know if you decide to approach some of this and if you
have any further questions/comments.



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.