Is the availability of these miners a reason to favor bcrypt (or something else)

Question

Is the availability of these miners a reason to favor bcrypt (or something else) over scrypt?

I mean, the goal of a password hash function is to maximize the work needed for an attacker to break a hash through brute force, dictionary or whatever, while minimizing the work needed for legitimite use. If the attacker can calculate hashes at many times the speed of the server, there is a weakness.

ASIC miners for scrypt-based cryptocurrencies are very efficient at calculating scrypt hashes, and most servers don't use cryptocurrency mining hardware to speed up password hashing.

Is it a problem that the attacker has access to good mining hardware?

Explanation / Answer

The theory of password hashing is that the whole problem is an arms race between attacker and defender. The password hashing function (bcrypt, scrypt...) is made deliberately slow, as much as the defender can tolerate on his hardware. We assume that the attacker can buy the same kind of hardware as the defender, so he can always be at least as efficient as the defender. The hope of the attacker is that he can buy or build specialized hardware that will be able to compute more hashes for the same budget.

Machines specialized for mining coins based on scrypt are inherently good news for the attacker, because such machines make sense only if they do more scrypts per second than a basic PC of the same price. However, this does not necessarily translate to an actual attack model, notably because scrypt is a highly configurable function (both RAM usage and CPU cost can be set) and the combinations for which the miners are optimized do not necessarily match what was used to hash passwords on a given server. The crucial property is how much the mining hardware can be re-purposed for other scrypt parameters.

Another important point is that bcrypt is known to be "more easily broken" with FPGA-based hardware (newer FPGA contain embedded RAM blocks that are very interesting for implementing bcrypt -- each bcrypt instance only needs 4 kB of RAM). Thus, even assuming that the mining ASIC can speed up the attacker, it is unclear whether it will speed him up more than what he can get with FPGA against bcrypt.

You have to remember that password hashing is a problem that spans cryptography, engineering and economics. You must take all these aspects into account if you want to reach a decision.

(Also, scrypt was designed and optimized for a rather specific case, namely password-based encryption of hard disks. This is a usage scenario that is quite different from a Web server authenticating users; when hashing the master password for your laptop hard disk, the system can take a few seconds worth of CPU, and may use gigabytes of RAM. Using scrypt on an authentication server implies moving the parameters out of this zone.)

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.