├── .travis.yml ├── LICENSE.txt ├── README.md ├── javascript ├── build-simd.sh ├── ecmascript_simd.js ├── sjcl.js ├── test.html ├── yescrypt-cli.js ├── yescrypt-simd.js ├── yescrypt-simd.m4 └── yescrypt.js ├── new-spec └── yescrypt.txt ├── php ├── scrypt │ ├── scrypt.php │ └── scrypt_test.php ├── yescrypt.php └── yescrypt_cli.php ├── python ├── yescrypt-cli.py └── yescrypt.py ├── reference ├── yescrypt-0.7.1 │ ├── info │ └── yescrypt │ │ ├── CHANGES │ │ ├── extra │ │ ├── README │ │ ├── analyze.c │ │ ├── sim-at-output.txt │ │ ├── sim-at.c │ │ ├── sim-bmpwx.c │ │ ├── sim-normat-output.txt │ │ ├── sim-normat.c │ │ ├── sim-tmto-output.txt │ │ ├── sim-tmto.c │ │ ├── sim-up-output.txt │ │ ├── sim-up.c │ │ └── style.latex │ │ ├── yescrypt-0.7.1-original │ │ ├── Makefile │ │ ├── PERFORMANCE-default │ │ ├── PERFORMANCE-scaling-down │ │ ├── PERFORMANCE-scaling-up │ │ ├── PHC-TEST-OK │ │ ├── README │ │ ├── TESTS-OK │ │ ├── initrom.c │ │ ├── phc.c │ │ ├── sha256.c │ │ ├── sha256.h │ │ ├── sysendian.h │ │ ├── tests.c │ │ ├── userom.c │ │ ├── yescrypt-best.c │ │ ├── yescrypt-common.c │ │ ├── yescrypt-opt.c │ │ ├── yescrypt-platform.c │ │ ├── yescrypt-ref.c │ │ ├── yescrypt-simd.c │ │ └── yescrypt.h │ │ ├── yescrypt-0.7.1 │ │ ├── Makefile │ │ ├── PERFORMANCE-default │ │ ├── PERFORMANCE-scaling-down │ │ ├── PERFORMANCE-scaling-up │ │ ├── PHC-TEST-OK │ │ ├── README │ │ ├── TESTS-OK │ │ ├── initrom.c │ │ ├── phc.c │ │ ├── sha256.c │ │ ├── sha256.h │ │ ├── sysendian.h │ │ ├── tester.c │ │ ├── tests.c │ │ ├── userom.c │ │ ├── yescrypt-best.c │ │ ├── yescrypt-common.c │ │ ├── yescrypt-opt.c │ │ ├── yescrypt-platform.c │ │ ├── yescrypt-ref.c │ │ ├── yescrypt-ref.h │ │ ├── yescrypt-simd.c │ │ └── yescrypt.h │ │ ├── yescrypt-phc.pdf │ │ └── yescrypt-phc.rst └── yescrypt-0.8.1 │ ├── CHANGES │ ├── extra │ ├── README │ ├── analyze.c │ ├── sim-at-output.txt │ ├── sim-at.c │ ├── sim-bmpwx.c │ ├── sim-normat-output.txt │ ├── sim-normat.c │ ├── sim-tmto-output.txt │ ├── sim-tmto.c │ ├── sim-up-output.txt │ ├── sim-up.c │ └── style.latex │ ├── yescrypt-0.8.1 │ ├── Makefile │ ├── PERFORMANCE-default │ ├── PERFORMANCE-scaling-down │ ├── PERFORMANCE-scaling-up │ ├── PHC-TEST-OK │ ├── README │ ├── TESTS-OK │ ├── initrom.c │ ├── phc.c │ ├── sha256.c │ ├── sha256.h │ ├── sysendian.h │ ├── tester.c │ ├── tests.c │ ├── userom.c │ ├── yescrypt-best.c │ ├── yescrypt-common.c │ ├── yescrypt-opt.c │ ├── yescrypt-platform.c │ ├── yescrypt-ref.c │ ├── yescrypt-simd.c │ └── yescrypt.h │ ├── yescrypt-phc.pdf │ └── yescrypt-phc.rst ├── ruby ├── Yescrypt.rb └── yescrypt_cli.rb ├── run-benchmarks.rb ├── test-javascript-simd.sh ├── test-javascript.sh ├── test-php.sh ├── test-python.sh ├── test-ruby.sh └── travis └── run.sh /.travis.yml: -------------------------------------------------------------------------------- 1 | # Ignore this line, look at the matrix: thing below. 2 | language: php 3 | 4 | php: 5 | - 5.5 6 | 7 | install: 8 | - npm install sjcl 9 | 10 | script: 11 | - ./test-php.sh 12 | - ./test-ruby.sh 13 | - ./test-javascript.sh 14 | 15 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | This license applies to all files in this repository authored by Taylor 2 | Hornby. 3 | 4 | Copyright 2016-2019 Taylor Hornby 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted. 9 | 10 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 11 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 12 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 13 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 14 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 15 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 16 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 17 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 18 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 19 | OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 20 | SUCH DAMAGE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | yescrypt 2 | ========== 3 | 4 | [![Build Status](https://travis-ci.org/defuse/yescrypt.svg?branch=master)](https://travis-ci.org/defuse/yescrypt) 5 | 6 | This repository holds my implementations of the yescrypt algorithm done for 7 | Google Summer of Code 2015. *WARNING:* This code has not yet been brought up to 8 | date with the latest version of yescrypt, yescrypt 1.0. This is being tracked in 9 | [GitHub Issue #32](https://github.com/defuse/yescrypt/issues/32). 10 | 11 | Documentation 12 | --------------- 13 | 14 | Here are some useful yescrypt and scrypt links: 15 | 16 | - [All Password Hashing Competition candidates](https://password-hashing.net/candidates.html) 17 | - [The yescrypt specification](https://password-hashing.net/submissions/specs/yescrypt-v1.pdf) 18 | - [The yescrypt C implementations](https://password-hashing.net/submissions/yescrypt-v1.tar.gz) 19 | - [Colin Percival's scrypt paper](https://www.tarsnap.com/scrypt/scrypt.pdf) 20 | - [The scrypt Internet-Draft](https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-02) 21 | 22 | Optimization 23 | --------------- 24 | 25 | Currently, none of the implementations are optimized. 26 | 27 | Using a non-optimized implementation in production is a security weakness. This 28 | is because you are forced to use weaker parameters than you could have with an 29 | optimized implementation, and therefore the attacker has more of an advantage. 30 | 31 | Use an optimized native implementation if possible. 32 | 33 | Audit Status 34 | --------------- 35 | 36 | None of the code in this repository has been professionally reviewed. The code 37 | here should be considered experimental and not used in production until this 38 | notice is removed. 39 | 40 | Reporting Security Bugs 41 | ------------------------- 42 | 43 | Please disclose bugs publicly by opening an issue on GitHub. If you need to 44 | disclose privately for some reason, or don't have a GitHub account, you can find 45 | my contact information [here](https://defuse.ca/contact.htm). 46 | 47 | The `ecmascript_simd` polyfill 48 | -------------------------------- 49 | 50 | The polyfill for SIMD operations, in `javascript/ecmascript_simd.js`, was taken 51 | from [tc38/ecmascript_simd](https://github.com/tc39/ecmascript_simd/) and 52 | modified to support `shiftRightLogicalByScalar` on `Int32x4`. 53 | 54 | Common API 55 | ---------- 56 | 57 | Each of the yescrypt implementations provides the following command-line API: 58 | 59 | ``` 60 | yescrypt-cli 61 | ``` 62 | 63 | Here, `` can be one of the following: 64 | 65 | - `yescrypt`: Compute the `yescrypt` function using arguments `password` (hex 66 | encoded), `salt` (hex encoded), `N`, `r`, `p`, `t`, `g`, `flags`, and `dkLen` 67 | in that order. 68 | 69 | - `pwxform`: Compute the `pwxform` function on the arguments `pwxblock` (hex 70 | encoded) and `sbox` (hex encoded) in that order. 71 | 72 | - `salsa20_8`: Compute the salsa20 function reduced to 8 rounds on the 73 | hex-encoded cell provided as the next argument. 74 | 75 | - `benchmark`: Run a performance benchmark (see below for arguments.). 76 | 77 | When `` is `benchmark`, the next argument is the iteration count, and 78 | then further arguments can be: 79 | 80 | - `yescrypt`: Benchmark the yescrypt function, with the following arguments 81 | being `N`, `r`, `p`, `t`, `g`, `flags`, and `dkLen` in that order, printing 82 | the performance of computing yescypt with those parameters on random 83 | passphrases and salts in c/s. 84 | 85 | - `pwxform`: Benchmark the `pwxform` function on a random block and sbox, 86 | printing the result in c/s. 87 | 88 | - `salsa20_8`: Benchmark the `salsa20_8` function on a random cell, printing the 89 | result in c/s. 90 | 91 | Each implementation is expected to report its average performance for that many 92 | iterations of the requested function. Implementations should strive to return as 93 | accurate results as possible. If no meaningful accuracy is possible given the 94 | provided iteration count, the benchmark command may fail with an error message. 95 | 96 | The rationale for making each implementation have their own timing code is that 97 | firstly, the overhead of process creation, etc. is not included in the running 98 | time, and secondly, that each language "knows best" how to benchmark itself. 99 | 100 | The rationale for not letting implementations decide the iteration count for 101 | themselves is that the benchmark user is the one who decides how long they want 102 | to run the benchmarks for and what kind of accuracy they expect. 103 | 104 | Funding 105 | ======= 106 | 107 | Taylor's work on this project was funded by [Google Summer of 108 | Code](https://developers.google.com/open-source/gsoc/) and by 20% "fun friday" 109 | time at [Zcash](https://z.cash). 110 | -------------------------------------------------------------------------------- /javascript/build-simd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | m4 yescrypt-simd.m4 > yescrypt-simd.js 3 | -------------------------------------------------------------------------------- /javascript/test.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Yescrypt Test Page 6 | 7 | 8 | 9 | 10 | 11 | 12 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /javascript/yescrypt-cli.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | 3 | // npm install sjcl 4 | sjcl = require('sjcl'); 5 | 6 | // Include yescrypt.js without having to add node-js-stuff into that file. 7 | var fs = require('fs'); 8 | eval(fs.readFileSync(__dirname + '/yescrypt.js')+''); 9 | 10 | var argv; 11 | if (process.argv[2] === "SIMD") { 12 | argv = process.argv.slice(3); 13 | eval(fs.readFileSync(__dirname + '/ecmascript_simd.js')+''); 14 | eval(fs.readFileSync(__dirname + '/yescrypt-simd.js')+''); 15 | } else { 16 | argv = process.argv.slice(2); 17 | } 18 | 19 | if (argv.length < 1) { 20 | console.log('Not enough arguments.'); 21 | process.exit(1); 22 | } 23 | 24 | // TODO: add the other argument length checking 25 | 26 | switch (argv[0]) { 27 | case 'yescrypt': 28 | if (argv.length != 10) { 29 | console.log('Wrong number of arguments for yescrypt.'); 30 | process.exit(1); 31 | } 32 | 33 | result = yescrypt.calculate( 34 | hexToUint8Array(argv[1]), // password 35 | hexToUint8Array(argv[2]), // salt 36 | parseInt(argv[3]), // N 37 | parseInt(argv[4]), // r 38 | parseInt(argv[5]), // p 39 | parseInt(argv[6]), // t 40 | parseInt(argv[7]), // g 41 | parseInt(argv[8]), // flags 42 | parseInt(argv[9]) // dkLen 43 | ); 44 | 45 | process.stdout.write( 46 | toNodeBuffer(result) 47 | ); 48 | break; 49 | case 'pwxform': 50 | 51 | var pwxblock = hexToUint8Array(argv[1]); 52 | var pwxblock32 = new Uint32Array(pwxblock.buffer); 53 | 54 | var sbox = hexToUint8Array(argv[2]); 55 | // TODO: deduplicate this, so that we're testing the code yescrypt.js 56 | // actually uses to create the object. 57 | var sbox32 = new Uint32Array(sbox.buffer); 58 | sbox_obj = { 59 | S: sbox32, 60 | S2: 0, 61 | S1: sbox32.length / 3, 62 | S0: (sbox32.length / 3) * 2, 63 | w: 0 64 | } 65 | 66 | yescrypt.pwxform(pwxblock32, sbox_obj); 67 | 68 | process.stdout.write( 69 | toNodeBuffer(pwxblock) 70 | ); 71 | break; 72 | 73 | case 'salsa20_8': 74 | var cell = hexToUint8Array(argv[1]); 75 | var cell32 = new Uint32Array(cell.buffer); 76 | yescrypt.salsa20_8(cell32); 77 | process.stdout.write( 78 | toNodeBuffer(cell) 79 | ); 80 | break; 81 | case 'benchmark': 82 | if (argv.length < 3) { 83 | console.log('Bad arguments to benchmark.'); 84 | process.exit(1); 85 | } 86 | var iteration_count = parseInt(argv[1]); 87 | switch (argv[2]) { 88 | case 'yescrypt': 89 | benchmarkYescrypt( 90 | iteration_count, 91 | parseInt(argv[3]), // N 92 | parseInt(argv[4]), // r 93 | parseInt(argv[5]), // p 94 | parseInt(argv[6]), // t 95 | parseInt(argv[7]), // g 96 | parseInt(argv[8]), // flags 97 | parseInt(argv[9]) // dkLen 98 | ); 99 | break; 100 | 101 | case 'pwxform': 102 | benchmarkPwxform(iteration_count); 103 | break; 104 | 105 | case 'salsa20_8': 106 | benchmarkSalsa20_8(iteration_count); 107 | break; 108 | } 109 | break; 110 | default: 111 | console.log('Bad function.'); 112 | process.exit(1); 113 | } 114 | 115 | process.exit(0); 116 | 117 | function benchmarkYescrypt(iteration_count, N, r, p, t, g, flags, dkLen) { 118 | var start = new Date; 119 | for (var i = 0; i < iteration_count; i++) { 120 | // XXX: at least the password should change in each iteration 121 | yescrypt.calculate("password", "salt", N, r, p, t, g, flags, dkLen); 122 | } 123 | var totalTime = (new Date) - start; 124 | if (totalTime < 1000) { 125 | console.log("Iteration count is too small to be accurate."); 126 | } else { 127 | console.log((iteration_count/totalTime*1000) + " c/s"); 128 | } 129 | } 130 | 131 | function benchmarkPwxform(iteration_count) { 132 | var pwxblock = new Uint32Array(yescrypt.PWXWORDS); 133 | var sbox = new Uint32Array(yescrypt.SWORDS); 134 | 135 | // XXX: make these better 136 | for (var i = 0; i < yescrypt.PWXWORDS; i++) { 137 | pwxblock[i] = i; 138 | } 139 | for (var i = 0; i < yescrypt.SWORDS; i++) { 140 | sbox[i] = i; 141 | } 142 | 143 | sbox_obj = { 144 | S: sbox, 145 | S2: 0, 146 | S1: sbox.length / 3, 147 | S0: (sbox.length / 3) * 2, 148 | w: 0 149 | } 150 | 151 | var start = new Date; 152 | for (var i = 0; i < iteration_count; i++) { 153 | yescrypt.pwxform(pwxblock, sbox_obj); 154 | } 155 | var totalTime = (new Date) - start; 156 | if (totalTime < 1000) { 157 | console.log("Iteration count is too small to be accurate."); 158 | } else { 159 | console.log((iteration_count/totalTime*1000) + " c/s"); 160 | } 161 | } 162 | 163 | function benchmarkSalsa20_8(iteration_count) { 164 | var cell = new Uint32Array(16); 165 | // XXX: make this better 166 | for (var i = 0; i < 16; i++) { 167 | cell[i] = i; 168 | } 169 | 170 | var start = new Date; 171 | for (var i = 0; i < iteration_count; i++) { 172 | yescrypt.salsa20_8(cell); 173 | } 174 | 175 | var totalTime = (new Date) - start; 176 | if (totalTime < 1000) { 177 | console.log("Iteration count is too small to be accurate."); 178 | } else { 179 | console.log((iteration_count/totalTime*1000) + " c/s"); 180 | } 181 | } 182 | 183 | function hexToUint8Array(hex_string) { 184 | 185 | if (hex_string.length % 2 !== 0) { 186 | throw 'Bad hex string length.'; 187 | } 188 | 189 | var bytes = new Uint8Array(hex_string.length / 2); 190 | for (var i = 0; i < hex_string.length; i += 2) { 191 | bytes[i/2] = parseInt(hex_string.substr(i, 2), 16); 192 | } 193 | 194 | return bytes; 195 | } 196 | 197 | function toNodeBuffer(uint8Array) { 198 | var buffer = new Buffer(uint8Array.byteLength); 199 | for (var i = 0; i < uint8Array.length; i++) { 200 | buffer[i] = uint8Array[i]; 201 | } 202 | return buffer; 203 | } 204 | -------------------------------------------------------------------------------- /javascript/yescrypt-simd.m4: -------------------------------------------------------------------------------- 1 | /* 2 | * This file must be loaded *after* yescrypt.js. 3 | * It replaces the implementations salsa20_8 and pwxform with SIMD versions. 4 | */ 5 | 6 | define(`ARX', 7 | acc = SIMD.Int32x4.add($2, $3); 8 | acc = SIMD.Int32x4.xor( 9 | SIMD.Int32x4.shiftLeftByScalar(acc, $4), 10 | SIMD.Int32x4.shiftRightLogicalByScalar(acc, 32-$4) 11 | ); 12 | $1 = SIMD.Int32x4.xor($1, acc); 13 | ) 14 | 15 | define(`TWOROUNDS', 16 | ARX($2, $1, $4, 7) 17 | ARX($3, $2, $1, 9) 18 | ARX($4, $3, $2, 13) 19 | ARX($1, $4, $3, 18) 20 | 21 | $2 = SIMD.Int32x4.swizzle($2, 3, 0, 1, 2); 22 | $3 = SIMD.Int32x4.swizzle($3, 2, 3, 0, 1); 23 | $4 = SIMD.Int32x4.swizzle($4, 1, 2, 3, 0); 24 | 25 | ARX($4, $1, $2, 7) 26 | ARX($3, $4, $1, 9) 27 | ARX($2, $3, $4, 13) 28 | ARX($1, $2, $3, 18) 29 | 30 | $2 = SIMD.Int32x4.swizzle($2, 1, 2, 3, 0); 31 | $3 = SIMD.Int32x4.swizzle($3, 2, 3, 0, 1); 32 | $4 = SIMD.Int32x4.swizzle($4, 3, 0, 1, 2); 33 | ) 34 | 35 | yescrypt.salsa20_8_simd = function (cell) { 36 | var X0 = SIMD.Int32x4.load(cell, 0); 37 | var X1 = SIMD.Int32x4.load(cell, 4); 38 | var X2 = SIMD.Int32x4.load(cell, 8); 39 | var X3 = SIMD.Int32x4.load(cell, 12); 40 | 41 | var OrigX0 = SIMD.Int32x4.load(cell, 0); 42 | var OrigX1 = SIMD.Int32x4.load(cell, 4); 43 | var OrigX2 = SIMD.Int32x4.load(cell, 8); 44 | var OrigX3 = SIMD.Int32x4.load(cell, 12); 45 | 46 | // Assumed by the arx macro. XXX: can't type A R X or it will expand! 47 | var acc; 48 | 49 | TWOROUNDS(X0, X1, X2, X3) 50 | TWOROUNDS(X0, X1, X2, X3) 51 | TWOROUNDS(X0, X1, X2, X3) 52 | TWOROUNDS(X0, X1, X2, X3) 53 | 54 | OrigX0 = SIMD.Int32x4.add(OrigX0, X0); 55 | OrigX1 = SIMD.Int32x4.add(OrigX1, X1); 56 | OrigX2 = SIMD.Int32x4.add(OrigX2, X2); 57 | OrigX3 = SIMD.Int32x4.add(OrigX3, X3); 58 | 59 | SIMD.Int32x4.store(cell, 0, OrigX0); 60 | SIMD.Int32x4.store(cell, 4, OrigX1); 61 | SIMD.Int32x4.store(cell, 8, OrigX2); 62 | SIMD.Int32x4.store(cell, 12, OrigX3); 63 | } 64 | 65 | yescrypt.salsa20_2_simd = function (cell) { 66 | var X0 = SIMD.Int32x4.load(cell, 0); 67 | var X1 = SIMD.Int32x4.load(cell, 4); 68 | var X2 = SIMD.Int32x4.load(cell, 8); 69 | var X3 = SIMD.Int32x4.load(cell, 12); 70 | 71 | var OrigX0 = SIMD.Int32x4.load(cell, 0); 72 | var OrigX1 = SIMD.Int32x4.load(cell, 4); 73 | var OrigX2 = SIMD.Int32x4.load(cell, 8); 74 | var OrigX3 = SIMD.Int32x4.load(cell, 12); 75 | 76 | // Assumed by the arx macro. XXX: can't type A R X or it will expand! 77 | var acc; 78 | 79 | TWOROUNDS(X0, X1, X2, X3) 80 | 81 | OrigX0 = SIMD.Int32x4.add(OrigX0, X0); 82 | OrigX1 = SIMD.Int32x4.add(OrigX1, X1); 83 | OrigX2 = SIMD.Int32x4.add(OrigX2, X2); 84 | OrigX3 = SIMD.Int32x4.add(OrigX3, X3); 85 | 86 | SIMD.Int32x4.store(cell, 0, OrigX0); 87 | SIMD.Int32x4.store(cell, 4, OrigX1); 88 | SIMD.Int32x4.store(cell, 8, OrigX2); 89 | SIMD.Int32x4.store(cell, 12, OrigX3); 90 | } 91 | 92 | yescrypt.pwxform_simd = function (pwxblock, sbox) { 93 | var zero = SIMD.Int32x4(0, 0, 0, 0); 94 | var ones = SIMD.Int32x4(1, 1, 1, 1); 95 | var low_ones = SIMD.Int32x4(1, 0, 1, 0); 96 | // Assumed by The ADD---Int64x2 macro. XXX: figure out how to say the macro's name correctly. 97 | var acc; 98 | 99 | var S0 = sbox.S0; 100 | var S1 = sbox.S1; 101 | var S2 = sbox.S2; 102 | 103 | for (var i = 0; i < this.PWXROUNDS; i++) { 104 | for (var j = 0; j < this.PWXGATHER; j++) { 105 | var x_lo = pwxblock[2 * j * this.PWXSIMPLE]; 106 | var x_hi = pwxblock[2 * j * this.PWXSIMPLE + 1]; 107 | 108 | var p0 = (x_lo & this.SMASK) / (this.PWXSIMPLE * 8); 109 | var p1 = (x_hi & this.SMASK) / (this.PWXSIMPLE * 8); 110 | 111 | var Bj = SIMD.Int32x4.load(pwxblock, 2 * j * this.PWXSIMPLE); 112 | var S1p1 = SIMD.Int32x4.load(sbox.S, S1 + 2 * p1 * this.PWXSIMPLE); 113 | 114 | // MULTIPLY. 115 | var hBj = SIMD.Int32x4.shiftRightLogicalByScalar(Bj, 16); 116 | var lBj = SIMD.Int32x4.and(Bj, SIMD.Int32x4.splat(0xFFFF)); 117 | 118 | var AandB = SIMD.Int32x4.shuffle(lBj, hBj, 0, 4, 1, 5); 119 | var CandD = SIMD.Int32x4.shuffle(lBj, hBj, 2, 6, 3, 7); 120 | 121 | // Compute the products: AlBl, AhBh, BlAh, BhAl 122 | AandB = SIMD.Int32x4.mul( 123 | AandB, 124 | SIMD.Int32x4.swizzle(AandB, 2, 3, 1, 0) 125 | ); 126 | // Compute the products: ClDl, ChDh, ClDh, ChDl 127 | CandD = SIMD.Int32x4.mul( 128 | CandD, 129 | SIMD.Int32x4.swizzle(CandD, 2, 3, 1, 0) 130 | ); 131 | 132 | var AB_hi = (SIMD.Int32x4.extractLane(AandB, 1) >>> 0); 133 | acc = ( 134 | (SIMD.Int32x4.extractLane(AandB, 2) >>> 0) + (SIMD.Int32x4.extractLane(AandB, 3) >>> 0) 135 | ) * 65536 + 136 | (SIMD.Int32x4.extractLane(AandB, 0) >>> 0); 137 | var AB_lo = acc % 4294967296; 138 | AB_hi += Math.floor(acc / 4294967296); 139 | 140 | var CD_hi = (SIMD.Int32x4.extractLane(CandD, 1) >>> 0); 141 | acc = ( 142 | (SIMD.Int32x4.extractLane(CandD, 2) >>> 0) + (SIMD.Int32x4.extractLane(CandD, 3) >>> 0) 143 | ) * 65536 + 144 | (SIMD.Int32x4.extractLane(CandD, 0) >>> 0); 145 | var CD_lo = acc % 4294967296; 146 | CD_hi += Math.floor(acc / 4294967296); 147 | 148 | // ADD. 149 | AB_lo += sbox.S[S0 + 2 * (p0 * this.PWXSIMPLE + 0)]; 150 | var carry = Math.floor(AB_lo / 4294967296); 151 | AB_lo = AB_lo % 4294967296; 152 | AB_hi += sbox.S[S0 + 2 * (p0 * this.PWXSIMPLE + 0) + 1] + carry; 153 | 154 | CD_lo += sbox.S[S0 + 2 * (p0 * this.PWXSIMPLE + 1)]; 155 | var carry = Math.floor(CD_lo / 4294967296); 156 | CD_lo = CD_lo % 4294967296; 157 | CD_hi += sbox.S[S0 + 2 * (p0 * this.PWXSIMPLE + 1) + 1] + carry; 158 | 159 | Bj = SIMD.Int32x4(AB_lo, AB_hi, CD_lo, CD_hi); 160 | 161 | // XOR. 162 | Bj = SIMD.Int32x4.xor(Bj, S1p1); 163 | 164 | // Write back. 165 | SIMD.Int32x4.store(pwxblock, 2 * j * this.PWXSIMPLE, Bj); 166 | 167 | if (i != 0 && i != this.PWXROUNDS - 1) { 168 | // XXX: check this 169 | sbox.S[S2 + 2 * sbox.w] = SIMD.Int32x4.extractLane(Bj, 0); 170 | sbox.S[S2 + 2 * sbox.w + 1] = SIMD.Int32x4.extractLane(Bj, 1); 171 | sbox.w += 1; 172 | sbox.S[S2 + 2 * sbox.w] = SIMD.Int32x4.extractLane(Bj, 2); 173 | sbox.S[S2 + 2 * sbox.w + 1] = SIMD.Int32x4.extractLane(Bj, 3); 174 | sbox.w += 1; 175 | } 176 | } 177 | } 178 | 179 | sbox.S0 = S2; 180 | sbox.S1 = S0; 181 | sbox.S2 = S1; 182 | sbox.w = sbox.w & (this.SMASK / 8); 183 | } 184 | 185 | // XXX: Check if yescrypt.SWIDTH is tunable with our implementation? I think it is. 186 | if (typeof SIMD !== 'undefined' && yescrypt.PWXSIMPLE == 2 && yescrypt.PWXGATHER == 4 && yescrypt.SWIDTH == 8) { 187 | yescrypt.salsa20_8 = yescrypt.salsa20_8_simd; 188 | yescrypt.salsa20_2 = yescrypt.salsa20_2_simd; 189 | // Make sure there's an error if something uses the unoptimized one. 190 | yescrypt.salsa20 = null; 191 | yescrypt.pwxform = yescrypt.pwxform_simd; 192 | yescrypt.using_simd = true; 193 | } 194 | -------------------------------------------------------------------------------- /php/scrypt/scrypt_test.php: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | 6 | static void analyze(unsigned char *Vc, size_t n) 7 | { 8 | static uint64_t Vmap32[2][0x100000000 / 64]; 9 | static uint64_t Vmap16[4][2][0x10000 / 64]; 10 | static int called; 11 | uint32_t *Vi = (uint32_t *)Vc; 12 | size_t i; 13 | size_t counts[0x100], min, max, diff32[2], diff16[4][2], sum; 14 | 15 | fprintf(stderr, "n = %llu\n", (unsigned long long)n); 16 | 17 | memset(counts, 0, sizeof(counts)); 18 | for (i = 0; i < n; i++) 19 | counts[Vc[i]]++; 20 | min = ~0UL; max = 0; 21 | for (i = 0; i < 0x100; i++) { 22 | if (min > counts[i]) 23 | min = counts[i]; 24 | if (max < counts[i]) 25 | max = counts[i]; 26 | } 27 | fprintf(stderr, "min = %llu max = %llu" 28 | " (min+max)/2 = %.1f (expected %.1f)\n", 29 | (unsigned long long)min, (unsigned long long)max, 30 | (double)(min + max) / 2.0, (double)n / 0x100); 31 | 32 | n /= sizeof(uint32_t); 33 | /* Assume the statics are zero on first call */ 34 | if (called) { 35 | memset(Vmap32, 0, sizeof(Vmap32)); 36 | memset(Vmap16, 0, sizeof(Vmap16)); 37 | } 38 | called = 1; 39 | memset(diff32, 0, sizeof(diff32)); 40 | memset(diff16, 0, sizeof(diff16)); 41 | for (i = 0; i < n; i++) { 42 | uint32_t x = Vi[i]; 43 | uint32_t lo = x & 0xffff; 44 | uint32_t hi = x >> 16; 45 | uint64_t * v = &Vmap32[i & 1][x / 64]; 46 | if (!(*v & ((uint64_t)1 << (x % 64)))) 47 | diff32[i & 1]++; 48 | *v |= (uint64_t)1 << (x % 64); 49 | v = &Vmap16[i & 3][0][lo / 64]; 50 | if (!(*v & ((uint64_t)1 << (lo % 64)))) 51 | diff16[i & 3][0]++; 52 | *v |= (uint64_t)1 << (lo % 64); 53 | v = &Vmap16[i & 3][1][hi / 64]; 54 | if (!(*v & ((uint64_t)1 << (hi % 64)))) 55 | diff16[i & 3][1]++; 56 | *v |= (uint64_t)1 << (hi % 64); 57 | } 58 | sum = 0; 59 | for (i = 0; i < 4; i++) 60 | sum += diff16[i][0] + diff16[i][1]; 61 | fprintf(stderr, 62 | "diff32 = %llu %llu" 63 | " (expected %.1f)\n" 64 | "diff16 = %llu %llu %llu %llu %llu %llu %llu %llu avg = %.1f" 65 | " (expected %.1f)\n", 66 | (unsigned long long)diff32[0], (unsigned long long)diff32[1], 67 | (1ULL<<32) * (1.0 - pow(((1ULL<<32) - 1.0) / (1ULL<<32), n / 2.0)), 68 | (unsigned long long)diff16[0][0], (unsigned long long)diff16[0][1], 69 | (unsigned long long)diff16[1][0], (unsigned long long)diff16[1][1], 70 | (unsigned long long)diff16[2][0], (unsigned long long)diff16[2][1], 71 | (unsigned long long)diff16[3][0], (unsigned long long)diff16[3][1], 72 | sum / 8.0, 73 | 0x10000 * (1.0 - pow((0x10000 - 1.0) / 0x10000, n / 4.0))); 74 | } 75 | 76 | int main(void) 77 | { 78 | static unsigned char V[0x10000000]; 79 | size_t n; 80 | 81 | n = fread(V, 1, sizeof(V), stdin); 82 | if (ferror(stdin)) { 83 | perror("fread"); 84 | return 1; 85 | } 86 | 87 | analyze(V, n); 88 | 89 | return 0; 90 | } 91 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-at-output.txt: -------------------------------------------------------------------------------- 1 | classic 2 | B' = 292735ce775aaef5 3 | t_cost = 2097152 4 | at_cost1 = 1073741824 at_cost2 = 549755813888 at_cost = 550829555712 5 | at_cost1/t = 512 at_cost2/t = 262144 at_cost/t = 262656 6 | total: nhits=663284 (63.26%) mhits=9 7 | 8 | loop1_pow2(N2 = N/1) 9 | loop1: nhits=595349 (56.78%) mhits=10 10 | B' = d9247fb08f9e807c 11 | t_cost = 2097152 12 | at_cost1 = 183251937963 at_cost2 = 549755813888 at_cost = 733007751851 13 | at_cost1/t = 87381 at_cost2/t = 262144 at_cost/t = 349525 14 | total: nhits=882412 (84.15%) mhits=13 15 | 16 | loop1_pow2(N2 = N/3) 17 | loop1: nhits=595349 (56.78%) mhits=10 18 | B' = 89be57ce3a548730 19 | t_cost = 1398101 20 | at_cost1 = 183251937963 at_cost2 = 183251763200 at_cost = 366503701163 21 | at_cost1/t = 131072 at_cost2/t = 131072 at_cost/t = 262144 22 | total: nhits=724167 (69.06%) mhits=11 23 | 24 | loop1_wrap(N2 = N/1) 25 | loop1: nhits=456640 (43.55%) mhits=24 26 | B' = b7283d0ff61c6599 27 | t_cost = 2097152 28 | at_cost1 = 274877644800 at_cost2 = 549755813888 at_cost = 824633458688 29 | at_cost1/t = 131072 at_cost2/t = 262144 at_cost/t = 393216 30 | total: nhits=830413 (79.19%) mhits=24 31 | 32 | loop1_wrap(N2 = N/2) 33 | loop1: nhits=456640 (43.55%) mhits=24 34 | B' = d2070a62b8aaaadd 35 | t_cost = 1572864 36 | at_cost1 = 274877644800 at_cost2 = 274877906944 at_cost = 549755551744 37 | at_cost1/t = 174762 at_cost2/t = 174763 at_cost/t = 349525 38 | total: nhits=689410 (65.75%) mhits=24 39 | 40 | loop1_mod(N2 = N/1) 41 | loop1: nhits=524257 (50.00%) mhits=21 42 | B' = 2365d32db26bfc21 43 | t_cost = 2097152 44 | at_cost1 = 274877644800 at_cost2 = 549755813888 at_cost = 824633458688 45 | at_cost1/t = 131072 at_cost2/t = 262144 at_cost/t = 393216 46 | total: nhits=855632 (81.60%) mhits=22 47 | 48 | loop1_mod(N2 = N/2) 49 | loop1: nhits=524257 (50.00%) mhits=21 50 | B' = 53d65e2fe1ff8ddd 51 | t_cost = 1572864 52 | at_cost1 = 274877644800 at_cost2 = 274877906944 at_cost = 549755551744 53 | at_cost1/t = 174762 at_cost2/t = 174763 at_cost/t = 349525 54 | total: nhits=730298 (69.65%) mhits=22 55 | 56 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-at.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | enum { 7 | N = 0x100000, 8 | B = 0x0b0b0b0b 9 | }; 10 | 11 | static uint32_t t_cost; 12 | static double at_cost1, at_cost2; 13 | static uint32_t hits[N], nhits, mhits; 14 | 15 | static uint64_t V[N]; 16 | 17 | static uint64_t H(uint64_t x) 18 | { 19 | MD5_CTX ctx; 20 | union { 21 | uint64_t i; 22 | unsigned char c[MD5_DIGEST_LENGTH]; 23 | } y; 24 | 25 | t_cost++; 26 | 27 | MD5_Init(&ctx); 28 | MD5_Update(&ctx, &x, sizeof(x)); 29 | MD5_Final(y.c, &ctx); 30 | 31 | return y.i; 32 | } 33 | 34 | static void count_hits(void) 35 | { 36 | uint32_t i; 37 | 38 | nhits = mhits = 0; 39 | for (i = 0; i < N; i++) { 40 | if (hits[i]) 41 | nhits++; 42 | if (hits[i] > mhits) 43 | mhits = hits[i]; 44 | } 45 | } 46 | 47 | static void print_hits(const char *title) 48 | { 49 | printf("%s: nhits=%u (%.2f%%) mhits=%u\n", 50 | title, nhits, 100.0 * nhits / N, mhits); 51 | } 52 | 53 | static void print_costs(uint64_t Bout) 54 | { 55 | printf( 56 | "B' = %16llx\n" 57 | "t_cost = %u\n" 58 | "at_cost1 = %.0f " 59 | "at_cost2 = %.0f " 60 | "at_cost = %.0f\n" 61 | "at_cost1/t = %.0f " 62 | "at_cost2/t = %.0f " 63 | "at_cost/t = %.0f\n", 64 | Bout, 65 | t_cost, at_cost1, at_cost2, at_cost1 + at_cost2, 66 | at_cost1 / t_cost, at_cost2 / t_cost, (at_cost1 + at_cost2) / t_cost); 67 | } 68 | 69 | static void smix_classic(void) 70 | { 71 | uint64_t X = B; 72 | uint32_t i, j; 73 | 74 | puts("classic"); 75 | 76 | t_cost = 0; 77 | 78 | for (i = 0; i < N; i++) { 79 | hits[i] = 0; 80 | 81 | V[i] = X; 82 | X = H(X); 83 | } 84 | 85 | at_cost1 = N * sqrt(N); /* sqrt(N) parallel cores attack with extreme recursion */ 86 | at_cost2 = 0; 87 | 88 | for (i = 0; i < N; i++) { 89 | j = X % N; 90 | X = H(X ^ V[j]); 91 | 92 | hits[j]++; 93 | at_cost2 += N; /* 1 time * N area */ 94 | } 95 | 96 | count_hits(); 97 | 98 | at_cost2 /= 2; /* extreme TMTO */ 99 | 100 | print_costs(X); 101 | print_hits("total"); 102 | puts(""); 103 | } 104 | 105 | static void smix_loop1_pow2(uint32_t N2div) 106 | { 107 | uint64_t X = B; 108 | uint32_t i, j, n, N2; 109 | 110 | printf("loop1_pow2(N2 = N/%u)\n", N2div); 111 | 112 | t_cost = 0; 113 | at_cost1 = at_cost2 = 0; 114 | 115 | n = 1; 116 | for (i = 0; i < N; i++) { 117 | V[i] = X; 118 | 119 | hits[i] = 0; 120 | if (i > 1) { 121 | if ((i & (i - 1)) == 0) 122 | n <<= 1; 123 | j = (X & (n - 1)) + (i - n); 124 | if (j >= i) 125 | fprintf(stderr, "Bad j = %08x\n", j); 126 | hits[j]++; 127 | 128 | X ^= V[j]; 129 | } 130 | 131 | X = H(X); 132 | 133 | at_cost1 += n; /* 1 time * n area */ 134 | } 135 | 136 | count_hits(); 137 | print_hits("loop1"); 138 | 139 | N2 = N / N2div; 140 | for (i = 0; i < N2; i++) { 141 | j = X % N; 142 | X = H(X ^ V[j]); 143 | 144 | hits[j]++; 145 | at_cost2 += N; /* 1 time * N area */ 146 | } 147 | 148 | count_hits(); 149 | 150 | at_cost1 /= 2; /* extreme TMTO, probably impossible */ 151 | at_cost2 /= 2; /* extreme TMTO, probably impossible */ 152 | 153 | print_costs(X); 154 | print_hits("total"); 155 | puts(""); 156 | } 157 | 158 | static uint32_t 159 | wrap(uint64_t x, uint32_t n) 160 | { 161 | uint64_t a = (x + n) & (n - 1); 162 | uint64_t b = x & n; 163 | uint64_t c = (x << 1) & n; 164 | return ((a << 1) + b + c) >> 2; 165 | } 166 | 167 | static void smix_loop1_wrap(uint32_t N2div) 168 | { 169 | uint64_t X = B; 170 | uint32_t i, j, N2; 171 | 172 | printf("loop1_wrap(N2 = N/%u)\n", N2div); 173 | 174 | t_cost = 0; 175 | at_cost1 = at_cost2 = 0; 176 | 177 | for (i = 0; i < N; i++) { 178 | V[i] = X; 179 | 180 | hits[i] = 0; 181 | if (i > 1) { 182 | j = wrap(X, i); 183 | if (j >= i) 184 | fprintf(stderr, "Bad j = %08x\n", j); 185 | hits[j]++; 186 | 187 | X ^= V[j]; 188 | } 189 | 190 | X = H(X); 191 | 192 | at_cost1 += i; /* 1 time * i area (although not all j's in [0,i-1] are possible for a given i) */ 193 | } 194 | 195 | count_hits(); 196 | print_hits("loop1"); 197 | 198 | N2 = N / N2div; 199 | for (i = 0; i < N2; i++) { 200 | j = X % N; 201 | X = H(X ^ V[j]); 202 | 203 | hits[j]++; 204 | at_cost2 += N; /* 1 time * N area */ 205 | } 206 | 207 | count_hits(); 208 | 209 | at_cost1 /= 2; /* extreme TMTO, probably impossible */ 210 | at_cost2 /= 2; /* extreme TMTO, probably impossible */ 211 | 212 | print_costs(X); 213 | print_hits("total"); 214 | puts(""); 215 | } 216 | 217 | static void smix_loop1_mod(uint32_t N2div) 218 | { 219 | uint64_t X = B; 220 | uint32_t i, j, N2; 221 | 222 | printf("loop1_mod(N2 = N/%u)\n", N2div); 223 | 224 | t_cost = 0; 225 | at_cost1 = at_cost2 = 0; 226 | 227 | for (i = 0; i < N; i++) { 228 | V[i] = X; 229 | 230 | hits[i] = 0; 231 | if (i > 1) { 232 | j = X % i; /* drawbacks: depends on chosen size of X (beyond bits in N-1), somewhat slow, not constant time, slightly non-uniform when size of X is not a lot larger than log2(N) */ 233 | if (j >= i) 234 | fprintf(stderr, "Bad j = %08x\n", j); 235 | hits[j]++; 236 | 237 | X ^= V[j]; 238 | } 239 | 240 | X = H(X); 241 | 242 | at_cost1 += i; /* 1 time * i area */ 243 | } 244 | 245 | count_hits(); 246 | print_hits("loop1"); 247 | 248 | N2 = N / N2div; 249 | for (i = 0; i < N2; i++) { 250 | j = X % N; 251 | X = H(X ^ V[j]); 252 | 253 | hits[j]++; 254 | at_cost2 += N; /* 1 time * N area */ 255 | } 256 | 257 | count_hits(); 258 | 259 | at_cost1 /= 2; /* extreme TMTO, probably impossible */ 260 | at_cost2 /= 2; /* extreme TMTO, probably impossible */ 261 | 262 | print_costs(X); 263 | print_hits("total"); 264 | puts(""); 265 | } 266 | 267 | int main(void) 268 | { 269 | smix_classic(); 270 | smix_loop1_pow2(1); 271 | smix_loop1_pow2(3); 272 | smix_loop1_wrap(1); 273 | smix_loop1_wrap(2); 274 | smix_loop1_mod(1); 275 | smix_loop1_mod(2); 276 | return 0; 277 | } 278 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-bmpwx.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char **argv) 5 | { 6 | unsigned int r, g, s; 7 | unsigned int r1, i; 8 | 9 | if (argc < 4) { 10 | printf("Usage: %s r PWXgather PWXsimple\n", argv[0]); 11 | return 1; 12 | } 13 | 14 | r = atoi(argv[1]); 15 | g = atoi(argv[2]); 16 | s = atoi(argv[3]); 17 | 18 | printf("g * s * 8 = %u\n", g * s * 8); 19 | printf("rmin = %u\n", (g * s + 127) / 128); 20 | 21 | r1 = 128 * r / (g * s * 8); 22 | printf("r1 = %u\n", r1); 23 | 24 | if (r1 > 1) 25 | printf("X = B'_%u\n", r1 - 1); 26 | else 27 | printf("X = (0, ..., 0)\n"); 28 | 29 | for (i = 0; i < r1; i++) 30 | printf("B'_%u = X = pwxform(X ^ B'_%u)\n", i, i); 31 | 32 | i = (r1 - 1) * g * s / 8; 33 | printf("B_%u = H(B_%u)\n", i, i); 34 | 35 | for (i = i + 1; i < 2 * r; i++) 36 | printf("B_%u = H(B_%u ^ B_%u)\n", i, i, i - 1); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-normat.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define N_test 1 4 | 5 | /* 6 | * Assume that only random accesses count towards AT, whereas the sequential 7 | * writes (and possible read-backs) have zero cost (e.g., through use of 8 | * external memory that is so cheap its cost is negligible compared to that of 9 | * our fast RAM, or in the case of TMTO-friendly classic scrypt through the 10 | * sqrt(N) cores attack). 11 | */ 12 | static double smix1_at(int mode, double N) 13 | { 14 | switch (mode) { 15 | case 1: 16 | return N * N / 3.0; 17 | case 2: 18 | return N * N / 2.0; 19 | } 20 | return 0; 21 | } 22 | 23 | static void print_table(int mode, int steps, double step) 24 | { 25 | int i; 26 | double N = N_test; 27 | double t_norm = 2 * N; /* normalize relative to classic scrypt */ 28 | double base_at = smix1_at(mode, N); 29 | char *mode_name = "scrypt assuming TMTO is not exploited in 2nd loop"; 30 | 31 | switch (mode) { 32 | case 1: 33 | mode_name = "pow2"; 34 | break; 35 | case 2: 36 | mode_name = "wrap or mod"; 37 | break; 38 | case 3: 39 | mode_name = "scrypt assuming TMTO is fully exploited"; 40 | } 41 | 42 | #if N_test > 1 43 | printf("%s\ntrel\tt\tAT\tAT/t\tATnorm\n", mode_name); 44 | #else 45 | printf("%s\nt\tAT\tAT/t\tATnorm\n", mode_name); 46 | #endif 47 | 48 | for (i = 0; i < steps; i++) { 49 | double t2rel = i * step; 50 | double t2 = t2rel * N; 51 | double t = N + t2; 52 | double at = base_at + t2 * N / (mode == 3 ? 2.0 : 1.0); 53 | double at_per_time = at / t; 54 | double N_norm = N * t_norm / t; 55 | double t2_norm = t2rel * N_norm; 56 | double base_at_norm = smix1_at(mode, N_norm); 57 | double at_norm = base_at_norm + t2_norm * N_norm; 58 | 59 | #if N_test > 1 60 | printf("%.2f\t%.2f\t%.3f\t%.3f\t%.3f\n", 61 | 1 + t2rel, t, at, at_per_time, at_norm); 62 | #else 63 | printf("%.2f\t%.2f\t%.3f\t%.3f\n", 64 | t, at, at_per_time, at_norm); 65 | #endif 66 | } 67 | } 68 | 69 | int main(void) 70 | { 71 | print_table(0, 111, 0.01); 72 | print_table(1, 111, 0.01); 73 | print_table(2, 111, 0.01); 74 | print_table(3, 111, 0.01); 75 | return 0; 76 | } 77 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-tmto-output.txt: -------------------------------------------------------------------------------- 1 | scrypt classic: 2 | B' = 8c126669 3 | t_cost = 512 4 | m_cost = 256 5 | scrypt TMTO = 5: 6 | B' = 8c126669 7 | t_cost = 1010 8 | m_cost = 52 9 | scrypt ircmaxell: 10 | B' = 24efce90 11 | t_cost = 512 12 | m_cost = 256 13 | scrypt ircmaxell TMTO1 = 5, TMTO2 = 2: 14 | B' = 24efce90 15 | t_cost = 978 16 | m_cost = 180 elements + 256 indices (363 alloc + 256 ptrs) + 512 counters 17 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-tmto.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | enum { 6 | N = 0x100, 7 | B = 0x0b0b0b0b, 8 | TMTO = 5 9 | }; 10 | 11 | static uint32_t t_cost; 12 | static uint32_t V[N]; 13 | 14 | static uint32_t H(uint32_t x) 15 | { 16 | MD5_CTX ctx; 17 | union { 18 | uint32_t i; 19 | unsigned char c[MD5_DIGEST_LENGTH]; 20 | } y; 21 | 22 | t_cost++; 23 | 24 | MD5_Init(&ctx); 25 | MD5_Update(&ctx, &x, sizeof(x)); 26 | MD5_Final(y.c, &ctx); 27 | 28 | return y.i; 29 | } 30 | 31 | static void smix_classic(void) 32 | { 33 | uint32_t X = B; 34 | uint32_t i, j; 35 | 36 | t_cost = 0; 37 | 38 | for (i = 0; i < N; i++) { 39 | V[i] = X; 40 | X = H(X); 41 | } 42 | 43 | for (i = 0; i < N; i++) { 44 | j = X % N; 45 | X = H(X ^ V[j]); 46 | } 47 | 48 | printf( 49 | "scrypt classic:\n" 50 | "B' = %08x\n" 51 | "t_cost = %u\n" 52 | "m_cost = %u\n", 53 | X, t_cost, N); 54 | } 55 | 56 | static void smix_classic_tmto(void) 57 | { 58 | uint32_t X = B; 59 | uint32_t i, j; 60 | 61 | t_cost = 0; 62 | 63 | for (i = 0; i < N; i++) { 64 | if ((i % TMTO) == 0) 65 | V[i / TMTO] = X; 66 | X = H(X); 67 | } 68 | 69 | for (i = 0; i < N; i++) { 70 | uint32_t Vj; 71 | j = X % N; 72 | Vj = V[j / TMTO]; 73 | j %= TMTO; 74 | while (j--) 75 | Vj = H(Vj); 76 | X = H(X ^ Vj); 77 | } 78 | 79 | printf( 80 | "scrypt TMTO = %u:\n" 81 | "B' = %08x\n" 82 | "t_cost = %u\n" 83 | "m_cost = %u\n", 84 | TMTO, X, t_cost, 1 + (N - 1) / TMTO); 85 | } 86 | 87 | static void smix_ircmaxell(void) 88 | { 89 | uint32_t X = B; 90 | uint32_t i, j; 91 | 92 | t_cost = 0; 93 | 94 | for (i = 0; i < N; i++) { 95 | V[i] = X; 96 | X = H(X); 97 | } 98 | 99 | for (i = 0; i < N; i++) { 100 | j = X % N; 101 | X = H(V[j] ^= X); 102 | } 103 | 104 | printf( 105 | "scrypt ircmaxell:\n" 106 | "B' = %08x\n" 107 | "t_cost = %u\n" 108 | "m_cost = %u\n", 109 | X, t_cost, N); 110 | } 111 | 112 | static void smix_ircmaxell_tmto(void) 113 | { 114 | uint32_t V2[(N - 1) / 2 + 1]; 115 | uint32_t patharea[N*N], *pathend; 116 | uint32_t *path[N], pathlen[N], pathleni[N]; 117 | 118 | uint32_t getVrec(uint32_t i, uint32_t j) 119 | { 120 | uint32_t xor = 0; 121 | 122 | while (1) { 123 | if (~i & 1) 124 | return xor ^ V2[i / 2]; 125 | 126 | uint32_t Y = H(V2[i / 2]); 127 | uint32_t jj = Y % N; 128 | uint32_t pl = pathleni[i]; 129 | if (pl == 0) { 130 | uint32_t X = V[j / TMTO]; 131 | j %= TMTO; 132 | while (j--) 133 | X = H(X); 134 | return xor ^ X ^ Y; 135 | } 136 | i = path[j][pl - 1]; 137 | j = jj; 138 | xor ^= Y; 139 | } 140 | } 141 | 142 | uint32_t getV(uint32_t i, uint32_t j) 143 | { 144 | if (pathlen[j] != 0) 145 | return getVrec(path[j][pathlen[j] - 1], j); 146 | 147 | uint32_t X; 148 | X = V[j / TMTO]; 149 | j %= TMTO; 150 | while (j--) 151 | X = H(X); 152 | return X; 153 | } 154 | 155 | uint32_t X = B; 156 | uint32_t i, j; 157 | 158 | t_cost = 0; 159 | 160 | for (i = 0; i < N; i++) { 161 | if ((i % TMTO) == 0) 162 | V[i / TMTO] = X; 163 | X = H(X); 164 | pathlen[i] = 0; /* obvious path, nothing to record yet */ 165 | } 166 | 167 | for (i = 0; i < N; i++) { 168 | path[i] = &patharea[i]; 169 | patharea[i] = 0xffffffff; 170 | } 171 | pathend = &patharea[i]; 172 | 173 | for (i = 0; i < N; i++) { 174 | j = X % N; 175 | X ^= getV(i, j); 176 | if (~i & 1) 177 | V2[i / 2] = X; 178 | pathleni[i] = pathlen[j]; 179 | if (path[j][pathlen[j]] != 0xffffffff) { 180 | uint32_t *p = path[j]; 181 | uint32_t *q = &path[j][pathlen[j]]; 182 | path[j] = pathend; 183 | while (p < q) { 184 | *pathend++ = *p; 185 | *p++ = 0xffffffff; 186 | } 187 | pathend++; 188 | } 189 | path[j][pathlen[j]++] = i; 190 | X = H(X); 191 | } 192 | 193 | printf( 194 | "scrypt ircmaxell TMTO1 = %u, TMTO2 = 2:\n" 195 | "B' = %08x\n" 196 | "t_cost = %u\n" 197 | "m_cost = %u elements + %u indices " 198 | "(%u alloc + %u ptrs) + %u counters\n", 199 | TMTO, X, t_cost, 200 | 1 + (N - 1) / TMTO + sizeof(V2) / sizeof(V2[0]), N, 201 | pathend - patharea, N, N * 2); 202 | } 203 | 204 | int main(void) 205 | { 206 | smix_classic(); 207 | smix_classic_tmto(); 208 | smix_ircmaxell(); 209 | smix_ircmaxell_tmto(); 210 | return 0; 211 | } 212 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-up-output.txt: -------------------------------------------------------------------------------- 1 | Granularity 1 2 | Up # t N AT AT % 3 | 0 1 1 1 100.00% 4 | 1 2 1 2 50.00% 5 | 2 4 2 6 37.50% 6 | 3 8 4 22 34.38% 7 | 4 16 8 86 33.59% 8 | 5 32 16 342 33.40% 9 | Granularity 2 10 | Up # t N AT AT % 11 | 0 1 1 1 100.00% 12 | 1 3 2 5 55.56% 13 | 2 7 4 21 42.86% 14 | 3 15 8 85 37.78% 15 | 4 31 16 341 35.48% 16 | 5 63 32 1365 34.39% 17 | Granularity 4 18 | Up # t N AT AT % 19 | 0 1 1 1 100.00% 20 | 1 5 4 17 68.00% 21 | 2 21 16 273 61.90% 22 | 3 85 64 4369 60.47% 23 | 4 341 256 69905 60.12% 24 | 5 1365 1024 1118481 60.03% 25 | Granularity 8 26 | Up # t N AT AT % 27 | 0 1 1 1 100.00% 28 | 1 9 8 65 80.25% 29 | 2 73 64 4161 78.08% 30 | 3 585 512 266305 77.82% 31 | 4 4681 4096 17043521 77.78% 32 | 5 37449 32768 1090785345 77.78% 33 | Granularity 16 34 | Up # t N AT AT % 35 | 0 1 1 1 100.00% 36 | 1 17 16 257 88.93% 37 | 2 273 256 65793 88.28% 38 | 3 4369 4096 16843009 88.24% 39 | 4 69905 65536 4311810305 88.24% 40 | 5 1118481 1048576 1103823438081 88.24% 41 | Granularity 32 42 | Up # t N AT AT % 43 | 0 1 1 1 100.00% 44 | 1 33 32 1025 94.12% 45 | 2 1057 1024 1049601 93.95% 46 | 3 33825 32768 1074791425 93.94% 47 | 4 1082401 1048576 1100586419201 93.94% 48 | 5 34636833 33554432 1127000493261825 93.94% 49 | Granularity 64 50 | Up # t N AT AT % 51 | 0 1 1 1 100.00% 52 | 1 65 64 4097 96.97% 53 | 2 4161 4096 16781313 96.92% 54 | 3 266305 262144 68736258049 96.92% 55 | 4 17043521 16777216 281543712968705 96.92% 56 | 5 1090785345 1073741824 1153203048319815681 96.92% 57 | Granularity 128 58 | Up # t N AT AT % 59 | 0 1 1 1 100.00% 60 | 1 129 128 16385 98.46% 61 | 2 16513 16384 268451841 98.45% 62 | 3 2113665 2097152 4398314962945 98.45% 63 | 4 270549121 268435456 72061992352890881 98.45% 64 | Granularity 256 65 | Up # t N AT AT % 66 | 0 1 1 1 100.00% 67 | 1 257 256 65537 99.22% 68 | 2 65793 65536 4295032833 99.22% 69 | 3 16843009 16777216 281479271743489 99.22% 70 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/sim-up.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define N0 1 5 | 6 | static void upgrades(unsigned int step) 7 | { 8 | uint32_t g; 9 | uint64_t N, t, at; 10 | 11 | printf("Granularity %u\nUp #\tt\tN\tAT\tAT %%\n", step); 12 | 13 | N = N0; 14 | t = at = 0; 15 | for (g = 0; g < 6; g++) { 16 | t += N; 17 | at += N * N; 18 | if (N * N / N != N || at < N * N) 19 | break; 20 | printf("%u\t%llu\t%llu\t%llu\t%.2f%%\n", 21 | g, (unsigned long long)t, (unsigned long long)N, 22 | (unsigned long long)at, at * 100.0 / ((double)t * t)); 23 | if (step > 1) 24 | N *= step; 25 | else 26 | N = t; 27 | } 28 | } 29 | 30 | int main(void) 31 | { 32 | unsigned int i; 33 | 34 | for (i = 1; i <= 0x100; i <<= 1) 35 | upgrades(i); 36 | 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/extra/style.latex: -------------------------------------------------------------------------------- 1 | %\setlength{\parskip}{\baselineskip} 2 | \setlength{\parskip}{5pt} 3 | \setlength{\parindent}{0mm} 4 | \sloppy 5 | \usepackage[a4paper,inner=25mm,outer=25mm,top=35mm,bottom=35mm]{geometry} 6 | \usepackage{amsmath} 7 | \newcommand*\xor{\oplus} 8 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2013,2014 Alexander Peslyak 2 | # All rights reserved. 3 | # 4 | # Redistribution and use in source and binary forms, with or without 5 | # modification, are permitted. 6 | # 7 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 8 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 10 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 11 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 12 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 13 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 14 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 15 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 16 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 17 | # SUCH DAMAGE. 18 | 19 | CC = gcc 20 | LD = $(CC) 21 | RM = rm -f 22 | OMPFLAGS = -fopenmp 23 | OMPFLAGS_MAYBE = $(OMPFLAGS) 24 | CFLAGS = -Wall -march=native -O2 -funroll-loops -fomit-frame-pointer $(OMPFLAGS_MAYBE) 25 | #CFLAGS = -Wall -march=native -O2 -fomit-frame-pointer $(OMPFLAGS_MAYBE) 26 | #CFLAGS = -Wall -O2 -fomit-frame-pointer $(OMPFLAGS_MAYBE) 27 | LDFLAGS = -s $(OMPFLAGS_MAYBE) 28 | 29 | PROJ = tests phc-test initrom userom 30 | OBJS_CORE = yescrypt-best.o 31 | OBJS_TESTS = $(OBJS_CORE) yescrypt-common.o sha256.o tests.o 32 | OBJS_PHC = $(OBJS_CORE) yescrypt-common.o sha256.o phc-test.o 33 | OBJS_INITROM = $(OBJS_CORE) yescrypt-common.o sha256.o initrom.o 34 | OBJS_USEROM = $(OBJS_CORE) yescrypt-common.o sha256.o userom.o 35 | OBJS_RM = yescrypt-*.o 36 | 37 | all: $(PROJ) 38 | 39 | check: tests phc-test 40 | @echo 'Running main tests' 41 | @time ./tests | tee TESTS-OUT 42 | @diff -U0 TESTS-OK TESTS-OUT && echo PASSED || echo FAILED 43 | @if [ -e PHC-TEST-OK ]; then \ 44 | echo 'Running PHC tests'; \ 45 | time ./phc-test > PHC-TEST-OUT; \ 46 | cmp PHC-TEST-OK PHC-TEST-OUT && echo PASSED || echo FAILED; \ 47 | fi 48 | 49 | ref: 50 | $(MAKE) $(PROJ) OBJS_CORE=yescrypt-ref.o 51 | 52 | check-ref: 53 | $(MAKE) check OBJS_CORE=yescrypt-ref.o 54 | 55 | opt: 56 | $(MAKE) $(PROJ) OBJS_CORE=yescrypt-opt.o 57 | 58 | check-opt: 59 | $(MAKE) check OBJS_CORE=yescrypt-opt.o 60 | 61 | tests: $(OBJS_TESTS) 62 | $(LD) $(LDFLAGS) $(OBJS_TESTS) -o $@ 63 | 64 | phc-test.o: phc.c 65 | $(CC) -c $(CFLAGS) -DTEST phc.c -o $@ 66 | 67 | phc-test: $(OBJS_PHC) 68 | $(LD) $(LDFLAGS) $(OBJS_PHC) -o $@ 69 | 70 | initrom: $(OBJS_INITROM) 71 | $(LD) $(LDFLAGS) $(OBJS_INITROM) -o $@ 72 | 73 | userom: $(OBJS_USEROM) 74 | $(LD) $(LDFLAGS) $(OMPFLAGS) $(OBJS_USEROM) -o $@ 75 | 76 | userom.o: userom.c 77 | $(CC) -c $(CFLAGS) $(OMPFLAGS) $*.c 78 | 79 | .c.o: 80 | $(CC) -c $(CFLAGS) $*.c 81 | 82 | yescrypt-best.o: yescrypt-platform.c yescrypt-simd.c yescrypt-opt.c 83 | yescrypt-simd.o: yescrypt-platform.c 84 | yescrypt-opt.o: yescrypt-platform.c 85 | 86 | clean: 87 | $(RM) $(PROJ) 88 | $(RM) $(OBJS_TESTS) $(OBJS_PHC) $(OBJS_INITROM) $(OBJS_USEROM) 89 | $(RM) $(OBJS_RM) 90 | $(RM) TESTS-OUT PHC-TEST-OUT 91 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/PERFORMANCE-default: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Core i7-4770K 3.5 GHz + turbo (up to 3.7 GHz with all cores in use, 6 | 3.9 GHz with one core in use), HT is enabled (giving 8 logical CPUs), 7 | 32 GiB RAM (4x DDR3-1600, but the CPU has only 2 memory channels). 8 | The OS is Ubuntu 12.04.2. 9 | 10 | First, we need to configure the Linux system, as root. Grant our user 11 | account's group the privilege to access "huge pages" (2 MiB as opposed 12 | to x86's default 4 KiB pages): 13 | 14 | # sysctl -w vm.hugetlb_shm_group=1000 15 | 16 | (You may need to replace the "1000" with your user account's actual 17 | group id.) 18 | 19 | Let processes allocate up to 3 GiB in shared memory segments: 20 | 21 | # sysctl -w kernel.shmmax=3221225472 22 | 23 | Preallocate this much memory and 200 MiB more (to be potentially used 24 | for threads' "RAM" lookup tables) into 2 MiB pages (this will only work 25 | when there's a sufficiently large non-fragmented memory region, so is 26 | normally to be performed right upon system bootup): 27 | 28 | # sysctl -w vm.nr_hugepages=1636 29 | 30 | Now initialization of the ROM is possible: 31 | 32 | $ time ./initrom 33 | r=6 N=2^12 NROM=2^22 34 | Will use 3145728.00 KiB ROM 35 | 3072.00 KiB RAM 36 | Initializing ROM ... DONE (7b90baf9) 37 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 38 | 39 | real 0m2.017s 40 | user 0m14.957s 41 | sys 0m1.000s 42 | 43 | This took 2 seconds, and now we're able to quickly hash passwords from 44 | another process (this may be the authentication service): 45 | 46 | $ ./userom 47 | r=6 N=2^12 NROM=2^22 48 | Will use 3145728.00 KiB ROM 49 | 3072.00 KiB RAM 50 | ROM access frequency mask: 0x1 51 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 52 | Benchmarking 1 thread ... 53 | 354 c/s real, 357 c/s virtual (511 hashes in 1.44 seconds) 54 | Benchmarking 8 threads ... 55 | 1344 c/s real, 167 c/s virtual (1533 hashes in 1.14 seconds) 56 | 57 | Cleanup (remove the SysV shared memory segment holding the ROM and free 58 | up the preallocated 2 MiB pages): 59 | 60 | $ ipcrm -M 0x524f4d0a 61 | 62 | # sysctl -w vm.nr_hugepages=0 63 | 64 | Without explicit use of 2 MiB pages (that is, more likely with 4 KiB 65 | pages), the test programs above run fine as well, and actually this time 66 | they're almost as fast, although in some other cases we've observed much 67 | more of a difference (see PERFORMANCE-scaling-up). 68 | 69 | Here are the timings without explicit 2 MiB pages: 70 | 71 | $ time ./initrom 72 | r=6 N=2^12 NROM=2^22 73 | Will use 3145728.00 KiB ROM 74 | 3072.00 KiB RAM 75 | shmget: Cannot allocate memory 76 | Retrying without SHM_HUGETLB 77 | Initializing ROM ... DONE (7b90baf9) 78 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 79 | 80 | real 0m2.048s 81 | user 0m14.629s 82 | sys 0m1.204s 83 | 84 | $ ./userom 85 | r=6 N=2^12 NROM=2^22 86 | Will use 3145728.00 KiB ROM 87 | 3072.00 KiB RAM 88 | ROM access frequency mask: 0x1 89 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 90 | Benchmarking 1 thread ... 91 | 191 c/s real, 193 c/s virtual (255 hashes in 1.33 seconds) 92 | Benchmarking 8 threads ... 93 | 1332 c/s real, 167 c/s virtual (1785 hashes in 1.34 seconds) 94 | 95 | It might be possible to improve the single-thread speed seen here by 96 | including some warm-up in the program. Anyhow, the multi-threaded 97 | throughput is more relevant. 98 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/PERFORMANCE-scaling-down: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Dual Pentium 3, 1 GHz (an IBM workstation circa year 2000), running 6 | current Openwall GNU/*/Linux. ROM size scaled down to 112 MiB: 7 | 8 | First, we need to configure the Linux system, as root. 9 | 10 | Let processes allocate up to 112 MiB in shared memory segments: 11 | 12 | # sysctl -w kernel.shmmax=117440512 13 | 14 | Now initialization of the ROM is possible: 15 | 16 | $ time ./initrom 17 | r=7 N=2^11 NROM=2^17 18 | Will use 114688.00 KiB ROM 19 | 1792.00 KiB RAM 20 | shmget: Function not implemented 21 | Retrying without SHM_HUGETLB 22 | Initializing ROM ... DONE (0592b260) 23 | '$7X3$95..../....WZaPV7LSUEKMo34.$tWYLFCyQajL/uPib1HOiYrvEgz8HKPApUoMj4S6J.69' 24 | 25 | real 0m4.485s 26 | user 0m7.968s 27 | sys 0m0.504s 28 | 29 | This took under 5 seconds, and now we're able to (relatively) quickly 30 | hash passwords from another process: 31 | 32 | $ ./userom 33 | r=7 N=2^11 NROM=2^17 34 | Will use 114688.00 KiB ROM 35 | 1792.00 KiB RAM 36 | ROM access frequency mask: 0x1 37 | '$7X3$95..../....WZaPV7LSUEKMo34.$tWYLFCyQajL/uPib1HOiYrvEgz8HKPApUoMj4S6J.69' 38 | Benchmarking 1 thread ... 39 | 9 c/s real, 9 c/s virtual (15 hashes in 1.53 seconds) 40 | Benchmarking 2 threads ... 41 | 19 c/s real, 10 c/s virtual (45 hashes in 2.29 seconds) 42 | 43 | Scaling down of the RAM portion to achieve higher c/s rates as if we were 44 | going to use this Pentium 3 machine for an auth server (not recommended): 45 | 46 | $ ./userom 47 | r=7 N=2^7 NROM=2^17 48 | Will use 114688.00 KiB ROM 49 | 112.00 KiB RAM 50 | ROM access frequency mask: 0x1 51 | '$7X3$55..../....WZaPV7LSUEKMo34.$tioZe3w2turVdlZJOYE.TcxqF6a73TyPj227N/p6400' 52 | Benchmarking 1 thread ... 53 | 166 c/s real, 167 c/s virtual (255 hashes in 1.53 seconds) 54 | Benchmarking 2 threads ... 55 | 324 c/s real, 168 c/s virtual (765 hashes in 2.36 seconds) 56 | 57 | These speeds are comparable to optimized bcrypt code at the $2a$05 cost 58 | setting running on the same machine. 59 | 60 | Cleanup (remove the SysV shared memory segment holding the ROM): 61 | 62 | $ ipcrm -M 0x524f4d0a 63 | 64 | Without the ROM: 65 | 66 | $ ./userom 0 67 | r=8 N=2^7 NROM=2^0 68 | Will use 0.00 KiB ROM 69 | 128.00 KiB RAM 70 | '$7X3$56..../....WZaPV7LSUEKMo34.$aASx8ttzWhTYanMam7D7T4Gnqt8gtguH1lEdUN4Sj5/' 71 | Benchmarking 1 thread ... 72 | 166 c/s real, 166 c/s virtual (255 hashes in 1.53 seconds) 73 | Benchmarking 2 threads ... 74 | 331 c/s real, 168 c/s virtual (765 hashes in 2.31 seconds) 75 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/PERFORMANCE-scaling-up: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Dual Xeon E5-2670 2.6 GHz + turbo (up to 3.0 GHz with all cores in use, 6 | 3.3 GHz with few cores in use), 128 GiB RAM (8x DDR3-1600 ECC Reg). 7 | These CPUs have 8 cores and 4 memory channels each, for a total of 16 8 | physical cores, 32 logical CPUs (HT is enabled), and 8 memory channels. 9 | The OS is Scientific Linux 6.4 (same as RHEL 6.4). 10 | 11 | First, we need to configure the Linux system, as root. Grant our user 12 | account's group the privilege to access "huge pages" (2 MiB as opposed 13 | to x86's default 4 KiB pages): 14 | 15 | # sysctl -w vm.hugetlb_shm_group=1000 16 | 17 | (You may need to replace the "1000" with your user account's actual 18 | group id.) 19 | 20 | Let processes allocate up to 112 GiB in shared memory segments: 21 | 22 | # sysctl -w kernel.shmmax=120259084288 23 | 24 | Preallocate this much memory and 200 MiB more (to be potentially used 25 | for threads' "RAM" lookup tables) into 2 MiB pages (this will only work 26 | when there's a sufficiently large non-fragmented memory region, so is 27 | normally to be performed right upon system bootup): 28 | 29 | # sysctl -w vm.nr_hugepages=57444 30 | 31 | Now initialization of the ROM is possible: 32 | 33 | $ export GOMP_CPU_AFFINITY=0-31 34 | $ time ./initrom 112 1 35 | r=7 N=2^11 NROM=2^27 36 | Will use 117440512.00 KiB ROM 37 | 1792.00 KiB RAM 38 | Initializing ROM ... DONE (0e644812) 39 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 40 | 41 | real 0m41.881s 42 | user 11m14.147s 43 | sys 0m38.607s 44 | 45 | This took under 1 minute, and now we're able to quickly hash passwords 46 | from another process (this may be the authentication service): 47 | 48 | $ ./userom 112 1 49 | r=7 N=2^11 NROM=2^27 50 | Will use 117440512.00 KiB ROM 51 | 1792.00 KiB RAM 52 | ROM access frequency mask: 0x1 53 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 54 | Benchmarking 1 thread ... 55 | 408 c/s real, 412 c/s virtual (511 hashes in 1.25 seconds) 56 | Benchmarking 32 threads ... 57 | 7589 c/s real, 236 c/s virtual (7665 hashes in 1.01 seconds) 58 | 59 | This is 48.7 GB/s: 60 | 61 | 1792 KiB * 3.5 reads&writes * 7589 c/s * 1024/1000 = 48740565 KB/s 62 | 63 | When not using a ROM, the speed improves to: 64 | 65 | $ ./userom 0 2 66 | r=8 N=2^11 NROM=2^0 67 | Will use 0.00 KiB ROM 68 | 2048.00 KiB RAM 69 | '$7X3$96..../....WZaPV7LSUEKMo34.$yiVEyLf68agsa3VGSX7LClYXak8P/AQAoswcRRHBRt2' 70 | Benchmarking 1 thread ... 71 | 440 c/s real, 444 c/s virtual (511 hashes in 1.16 seconds) 72 | Benchmarking 32 threads ... 73 | 8207 c/s real, 257 c/s virtual (15841 hashes in 1.93 seconds) 74 | 75 | This is 60.2 GB/s: 76 | 77 | 1792 KiB * 4 reads&writes * 8207 c/s * 1024/1000 = 60239643 KB/s 78 | 79 | In both cases, we're not counting accesses that are expected to hit L1 80 | or L2 cache, which there are many of. We're, however, counting 81 | accesses that may be hitting L3 cache. 82 | 83 | The theoretical peak RAM access speed for this machine is: 84 | 85 | 1600 MT/s * 8 channels * 8 bytes = 102.4 GB/s 86 | 87 | (This speed is never reached in practice, not even in RAM benchmarks not 88 | involving any computation. On this machine, synthetic RAM benchmarks 89 | reach about 85 GB/s.) 90 | 91 | By the way, here's what our SysV shared memory segment looks like: 92 | 93 | $ ipcs 94 | 95 | ------ Shared Memory Segments -------- 96 | key shmid owner perms bytes nattch status 97 | 0x524f4d0a 360448 solar 640 120259084288 0 98 | 99 | The 120+ GB size corresponds to 112 GiB. 100 | 101 | Cleanup (remove the SysV shared memory segment holding the ROM and free 102 | up the preallocated 2 MiB pages): 103 | 104 | $ ipcrm -M 0x524f4d0a 105 | 106 | # sysctl -w vm.nr_hugepages=0 107 | 108 | Without explicit use of 2 MiB pages (that is, most likely with 4 KiB 109 | pages), the test programs above run fine as well, but slower, presumably 110 | mostly because of cache thrashing with page tables. ROM initialization 111 | time is about as good: 112 | 113 | $ time ./initrom 112 1 114 | r=7 N=2^11 NROM=2^27 115 | Will use 117440512.00 KiB ROM 116 | 1792.00 KiB RAM 117 | shmget: Cannot allocate memory 118 | Retrying without SHM_HUGETLB 119 | Initializing ROM ... DONE (0e644812) 120 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 121 | 122 | real 0m42.141s 123 | user 12m17.489s 124 | sys 8m33.598s 125 | 126 | However, password hashing speed while using that ROM on small pages is 127 | impacted badly: 128 | 129 | $ ./userom 112 1 130 | r=7 N=2^11 NROM=2^27 131 | Will use 117440512.00 KiB ROM 132 | 1792.00 KiB RAM 133 | ROM access frequency mask: 0x1 134 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 135 | Benchmarking 1 thread ... 136 | 157 c/s real, 158 c/s virtual (255 hashes in 1.62 seconds) 137 | Benchmarking 32 threads ... 138 | 1733 c/s real, 54 c/s virtual (1785 hashes in 1.03 seconds) 139 | 140 | Thus, at these ROM sizes the use of "huge pages" is a must - otherwise 141 | we're giving attackers (who would tune their systems) a 4x+ performance 142 | advantage. 143 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/README: -------------------------------------------------------------------------------- 1 | This yescrypt distribution is a work-in-progress. Its interfaces other 2 | than crypto_scrypt(), as well as their semantics, are subject to 3 | (incompatible) changes in future revisions. 4 | 5 | 6 | How to test yescrypt for proper operation. 7 | 8 | On a Unix-like system, invoke "make check". This will build and run a 9 | program called "tests", and check its output against the supplied file 10 | TESTS-OK. It will also build a program called "phc-test", and if a file 11 | called PHC-TEST-OK is present will run that program and check its output 12 | against that file's contents. If everything matches, each of these two 13 | sets of tests prints one word "PASSED", so there will be two such lines 14 | among "make check" output, one of them being the final line of output. 15 | 16 | We do most of our testing on Linux systems with gcc. The supplied 17 | Makefile assumes that you use gcc. 18 | 19 | 20 | ROM in SysV shared memory demo and benchmark. 21 | 22 | Also included with this version of yescrypt are "initrom" and "userom" 23 | demo programs. They're built by simply typing "make". Please refer to 24 | PERFORMANCE-* text files for examples of system configuration and 25 | running of these programs. 26 | 27 | 28 | Alternate code versions and make targets. 29 | 30 | Three implementations of yescrypt are included: reference, partially 31 | optimized (without use of SIMD), and fully optimized for x86/x86-64 32 | (with use of SIMD intrinsics). By default, one of the two optimized 33 | implementations is built as appropriate for the given machine. 34 | 35 | The reference implementation is unoptimized and is very slow, but it has 36 | simpler and shorter source code. Its purpose is to provide a simple 37 | human- and machine-readable specification that implementations intended 38 | for actual use should be tested against. It is deliberately mostly not 39 | optimized, and it is not meant to be used in production. 40 | 41 | There are two additional make targets similar to "make check": they are 42 | "make check-ref" and "make check-opt". These build and test the two 43 | included alternate code versions. 44 | 45 | Similarly, there are two make targets to build all of the programs along 46 | with either of the two alternate implementations. These are simply 47 | "make ref" and "make opt". After having used one of these, the 48 | "initrom" and "userom" programs will use that build's implementation. 49 | 50 | "make clean" may need to be run between making different builds. 51 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/initrom.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2013-2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #define YESCRYPT_FLAGS YESCRYPT_RW 22 | 23 | #define ROM_SHM_KEY 0x524f4d0a 24 | #define ROM_LOCAL_PARAM "change this before use" 25 | 26 | /* Maximum parallelism factor during ROM initialization */ 27 | #define YESCRYPT_PROM_SHM 32 28 | #define YESCRYPT_PROM_FILE 4 29 | 30 | //#define USE_HUGEPAGE 31 | 32 | #include 33 | #include 34 | #include /* for atoi() */ 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | #include "yescrypt.h" 43 | 44 | int main(int argc, const char * const *argv) 45 | { 46 | #if 0 47 | uint64_t rom_bytes = 112 * (1024ULL*1024*1024); 48 | uint64_t ram_bytes = 1 * (1024ULL*1024); 49 | #else 50 | uint64_t rom_bytes = 3 * (1024ULL*1024*1024); 51 | uint64_t ram_bytes = 2 * (1024ULL*1024); 52 | #endif 53 | uint32_t r, min_r; 54 | uint64_t NROM_log2, N_log2; 55 | int shmid; 56 | yescrypt_shared_t shared; 57 | uint8_t digest[4]; 58 | const char * rom_filename = NULL; 59 | int rom_fd; 60 | 61 | if (argc > 1) 62 | rom_bytes = atoi(argv[1]) * (1024ULL*1024*1024); 63 | if (argc > 2) 64 | ram_bytes = atoi(argv[2]) * (1024ULL*1024); 65 | if (argc > 3) 66 | rom_filename = argv[3]; 67 | 68 | if (!rom_bytes) { 69 | puts("Wrong ROM size requested"); 70 | return 1; 71 | } 72 | 73 | min_r = 5; 74 | if (rom_filename) 75 | min_r = 8 * 256; 76 | 77 | NROM_log2 = 0; 78 | while (((rom_bytes >> NROM_log2) & 0xff) == 0) 79 | NROM_log2++; 80 | r = rom_bytes >> (7 + NROM_log2); 81 | while (r < min_r && NROM_log2 > 0) { 82 | r <<= 1; 83 | NROM_log2--; 84 | } 85 | rom_bytes = (uint64_t)r << (7 + NROM_log2); 86 | 87 | N_log2 = 3; 88 | while ((r << (7 + N_log2)) < ram_bytes) 89 | N_log2++; 90 | ram_bytes = (uint64_t)r << (7 + N_log2); 91 | 92 | printf("r=%u N=2^%u NROM=2^%u\n", r, 93 | (unsigned int)N_log2, (unsigned int)NROM_log2); 94 | 95 | printf("Will use %.2f KiB ROM\n", rom_bytes / 1024.0); 96 | printf(" %.2f KiB RAM\n", ram_bytes / 1024.0); 97 | 98 | shared.aligned_size = rom_bytes; 99 | 100 | if (rom_filename) { 101 | rom_fd = open(rom_filename, O_CREAT|O_RDWR|O_EXCL, 102 | S_IRUSR|S_IRGRP|S_IWUSR); 103 | if (rom_fd < 0) { 104 | perror("open"); 105 | return 1; 106 | } 107 | if (ftruncate(rom_fd, rom_bytes)) { 108 | perror("ftruncate"); 109 | close(rom_fd); 110 | unlink(rom_filename); 111 | return 1; 112 | } 113 | 114 | int flags = 115 | #ifdef MAP_NOCORE 116 | MAP_NOCORE | 117 | #endif 118 | #if defined(MAP_HUGETLB) && defined(USE_HUGEPAGE) 119 | MAP_HUGETLB | 120 | #endif 121 | MAP_SHARED; 122 | void * p = mmap(NULL, rom_bytes, PROT_READ | PROT_WRITE, 123 | flags, rom_fd, 0); 124 | #if defined(MAP_HUGETLB) && defined(USE_HUGEPAGE) 125 | if (p == MAP_FAILED) 126 | p = mmap(NULL, rom_bytes, PROT_READ | PROT_WRITE, 127 | flags & ~MAP_HUGETLB, rom_fd, 0); 128 | #endif 129 | if (p == MAP_FAILED) { 130 | perror("mmap"); 131 | close(rom_fd); 132 | unlink(rom_filename); 133 | return 1; 134 | } 135 | close(rom_fd); 136 | shared.base = shared.aligned = p; 137 | } else { 138 | shmid = shmget(ROM_SHM_KEY, shared.aligned_size, 139 | #ifdef SHM_HUGETLB 140 | SHM_HUGETLB | 141 | #endif 142 | IPC_CREAT|IPC_EXCL | S_IRUSR|S_IRGRP|S_IWUSR); 143 | if (shmid == -1) { 144 | #ifdef SHM_HUGETLB 145 | perror("shmget"); 146 | puts("Retrying without SHM_HUGETLB"); 147 | shmid = shmget(ROM_SHM_KEY, shared.aligned_size, 148 | IPC_CREAT|IPC_EXCL | S_IRUSR|S_IRGRP|S_IWUSR); 149 | #endif 150 | if (shmid == -1) { 151 | perror("shmget"); 152 | return 1; 153 | } 154 | } 155 | 156 | shared.base = shared.aligned = shmat(shmid, NULL, 0); 157 | if (shared.base == (void *)-1) { 158 | int save_errno = errno; 159 | shmctl(shmid, IPC_RMID, NULL); 160 | errno = save_errno; 161 | perror("shmat"); 162 | return 1; 163 | } 164 | } 165 | 166 | printf("Initializing ROM ..."); 167 | fflush(stdout); 168 | if (yescrypt_init_shared(&shared, 169 | (uint8_t *)ROM_LOCAL_PARAM, strlen(ROM_LOCAL_PARAM), 170 | (uint64_t)1 << NROM_log2, r, 171 | rom_filename ? YESCRYPT_PROM_FILE : YESCRYPT_PROM_SHM, 172 | YESCRYPT_SHARED_PREALLOCATED, 173 | digest, sizeof(digest))) { 174 | puts(" FAILED"); 175 | if (rom_filename) 176 | unlink(rom_filename); 177 | return 1; 178 | } 179 | printf(" DONE (%02x%02x%02x%02x)\n", 180 | digest[0], digest[1], digest[2], digest[3]); 181 | 182 | { 183 | yescrypt_local_t local; 184 | const uint8_t *setting; 185 | uint8_t hash[128]; 186 | 187 | if (yescrypt_init_local(&local)) { 188 | puts("yescrypt_init_local() FAILED"); 189 | return 1; 190 | } 191 | 192 | setting = yescrypt_gensalt( 193 | N_log2, r, 1, YESCRYPT_FLAGS, 194 | (const uint8_t *)"binary data", 12); 195 | 196 | printf("'%s'\n", (char *)yescrypt_r(&shared, &local, 197 | (const uint8_t *)"pleaseletmein", 13, setting, 198 | hash, sizeof(hash))); 199 | } 200 | 201 | if (rom_filename && munmap(shared.base, rom_bytes)) { 202 | perror("munmap"); 203 | return 1; 204 | } 205 | 206 | return 0; 207 | } 208 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/phc.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2014,2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #define YESCRYPT_FLAGS YESCRYPT_RW 22 | #define YESCRYPT_BASE_N 8 23 | #define YESCRYPT_R 8 24 | #define YESCRYPT_P 1 25 | 26 | #include "yescrypt.h" 27 | 28 | #ifdef TEST 29 | static 30 | #endif 31 | int PHS(void *out, size_t outlen, const void *in, size_t inlen, 32 | const void *salt, size_t saltlen, unsigned int t_cost, unsigned int m_cost) 33 | { 34 | yescrypt_local_t local; 35 | int retval; 36 | 37 | if (yescrypt_init_local(&local)) 38 | return -1; 39 | retval = yescrypt_kdf(NULL, &local, in, inlen, salt, saltlen, 40 | (uint64_t)YESCRYPT_BASE_N << m_cost, YESCRYPT_R, YESCRYPT_P, 41 | t_cost, 0, YESCRYPT_FLAGS, out, outlen); 42 | if (yescrypt_free_local(&local)) 43 | return -1; 44 | return retval; 45 | } 46 | 47 | #ifdef TEST 48 | #include 49 | #include /* for sysconf() */ 50 | #include 51 | 52 | static void print_hex(const uint8_t *buf, size_t buflen, const char *sep) 53 | { 54 | size_t i; 55 | 56 | putchar('"'); 57 | for (i = 0; i < buflen; i++) 58 | printf("\\x%02x", buf[i]); 59 | printf("\"%s", sep); 60 | } 61 | 62 | static void print_PHS(const void *in, size_t inlen, 63 | const void *salt, size_t saltlen, unsigned int t_cost, unsigned int m_cost) 64 | { 65 | uint8_t dk[32]; 66 | 67 | printf("PHS("); 68 | print_hex(in, inlen, ", "); 69 | print_hex(salt, saltlen, ", "); 70 | printf("%u, %u) = ", t_cost, m_cost); 71 | 72 | if (PHS(dk, sizeof(dk), in, inlen, salt, saltlen, t_cost, m_cost)) { 73 | puts("FAILED"); 74 | return; 75 | } 76 | 77 | print_hex(dk, sizeof(dk), "\n"); 78 | } 79 | 80 | static void print_all_PHS(unsigned int t_cost, unsigned int m_cost) 81 | { 82 | clock_t clk_tck = sysconf(_SC_CLK_TCK); 83 | struct tms start_tms, end_tms; 84 | clock_t start = times(&start_tms), end, start_v, end_v; 85 | const int count = 0x102; 86 | size_t inlen; 87 | int i, j; 88 | 89 | inlen = 0; 90 | for (i = 0; i < count; i++) { 91 | uint8_t in[128], salt[16]; 92 | 93 | for (j = 0; j < inlen; j++) 94 | in[j] = (i + j) & 0xff; 95 | for (j = 0; j < sizeof(salt); j++) 96 | salt[j] = ~(i + j) & 0xff; 97 | 98 | print_PHS(in, inlen, salt, sizeof(salt), t_cost, m_cost); 99 | 100 | if (++inlen > sizeof(in)) 101 | inlen = 0; 102 | } 103 | 104 | end = times(&end_tms); 105 | 106 | start_v = start_tms.tms_utime + start_tms.tms_stime + 107 | start_tms.tms_cutime + start_tms.tms_cstime; 108 | end_v = end_tms.tms_utime + end_tms.tms_stime + 109 | end_tms.tms_cutime + end_tms.tms_cstime; 110 | 111 | if (end == start) 112 | end++; 113 | if (end_v == start_v) 114 | end_v++; 115 | 116 | fprintf(stderr, "m_cost=%u (%.0f KiB), t_cost=%u\n" 117 | "%llu c/s real, %llu c/s virtual (%llu hashes in %.2f seconds)\n", 118 | m_cost, (YESCRYPT_BASE_N << m_cost) * YESCRYPT_R / 8.0, t_cost, 119 | (unsigned long long)count * clk_tck / (end - start), 120 | (unsigned long long)count * clk_tck / (end_v - start_v), 121 | (unsigned long long)count, (double)(end - start) / clk_tck); 122 | } 123 | 124 | int main(int argc, char *argv[]) 125 | { 126 | #if 0 127 | setvbuf(stdout, NULL, _IOLBF, 0); 128 | #endif 129 | 130 | print_all_PHS(0, 0); 131 | print_all_PHS(0, 7); 132 | print_all_PHS(0, 8); 133 | print_all_PHS(1, 8); 134 | print_all_PHS(2, 8); 135 | print_all_PHS(3, 8); 136 | print_all_PHS(0, 11); 137 | 138 | return 0; 139 | } 140 | #endif 141 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/sha256.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2005,2007,2009 Colin Percival 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 | * SUCH DAMAGE. 25 | * 26 | * $FreeBSD: src/lib/libmd/sha256.h,v 1.2 2006/01/17 15:35:56 phk Exp $ 27 | */ 28 | 29 | #ifndef _SHA256_H_ 30 | #define _SHA256_H_ 31 | 32 | #include 33 | 34 | #include 35 | 36 | typedef struct SHA256Context { 37 | uint32_t state[8]; 38 | uint32_t count[2]; 39 | unsigned char buf[64]; 40 | } SHA256_CTX; 41 | 42 | typedef struct HMAC_SHA256Context { 43 | SHA256_CTX ictx; 44 | SHA256_CTX octx; 45 | } HMAC_SHA256_CTX; 46 | 47 | void SHA256_Init(SHA256_CTX *); 48 | void SHA256_Update(SHA256_CTX *, const void *, size_t); 49 | void SHA256_Final(unsigned char [32], SHA256_CTX *); 50 | void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); 51 | void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); 52 | void HMAC_SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); 53 | 54 | /** 55 | * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): 56 | * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and 57 | * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). 58 | */ 59 | void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, 60 | uint64_t, uint8_t *, size_t); 61 | 62 | #endif /* !_SHA256_H_ */ 63 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/sysendian.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2007-2009 Colin Percival 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 | * SUCH DAMAGE. 25 | * 26 | * This file was originally written by Colin Percival as part of the Tarsnap 27 | * online backup system. 28 | */ 29 | #ifndef _SYSENDIAN_H_ 30 | #define _SYSENDIAN_H_ 31 | 32 | /* If we don't have be64enc, the we have isn't usable. */ 33 | #if !HAVE_DECL_BE64ENC 34 | #undef HAVE_SYS_ENDIAN_H 35 | #endif 36 | 37 | #ifdef HAVE_SYS_ENDIAN_H 38 | 39 | #include 40 | 41 | #else 42 | 43 | #include 44 | 45 | static inline uint32_t 46 | be32dec(const void *pp) 47 | { 48 | const uint8_t *p = (uint8_t const *)pp; 49 | 50 | return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + 51 | ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); 52 | } 53 | 54 | static inline void 55 | be32enc(void *pp, uint32_t x) 56 | { 57 | uint8_t * p = (uint8_t *)pp; 58 | 59 | p[3] = x & 0xff; 60 | p[2] = (x >> 8) & 0xff; 61 | p[1] = (x >> 16) & 0xff; 62 | p[0] = (x >> 24) & 0xff; 63 | } 64 | 65 | static inline uint64_t 66 | be64dec(const void *pp) 67 | { 68 | const uint8_t *p = (uint8_t const *)pp; 69 | 70 | return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + 71 | ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + 72 | ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + 73 | ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); 74 | } 75 | 76 | static inline void 77 | be64enc(void *pp, uint64_t x) 78 | { 79 | uint8_t * p = (uint8_t *)pp; 80 | 81 | p[7] = x & 0xff; 82 | p[6] = (x >> 8) & 0xff; 83 | p[5] = (x >> 16) & 0xff; 84 | p[4] = (x >> 24) & 0xff; 85 | p[3] = (x >> 32) & 0xff; 86 | p[2] = (x >> 40) & 0xff; 87 | p[1] = (x >> 48) & 0xff; 88 | p[0] = (x >> 56) & 0xff; 89 | } 90 | 91 | static inline uint32_t 92 | le32dec(const void *pp) 93 | { 94 | const uint8_t *p = (uint8_t const *)pp; 95 | 96 | return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + 97 | ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); 98 | } 99 | 100 | static inline void 101 | le32enc(void *pp, uint32_t x) 102 | { 103 | uint8_t * p = (uint8_t *)pp; 104 | 105 | p[0] = x & 0xff; 106 | p[1] = (x >> 8) & 0xff; 107 | p[2] = (x >> 16) & 0xff; 108 | p[3] = (x >> 24) & 0xff; 109 | } 110 | 111 | static inline uint64_t 112 | le64dec(const void *pp) 113 | { 114 | const uint8_t *p = (uint8_t const *)pp; 115 | 116 | return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + 117 | ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + 118 | ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + 119 | ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); 120 | } 121 | 122 | static inline void 123 | le64enc(void *pp, uint64_t x) 124 | { 125 | uint8_t * p = (uint8_t *)pp; 126 | 127 | p[0] = x & 0xff; 128 | p[1] = (x >> 8) & 0xff; 129 | p[2] = (x >> 16) & 0xff; 130 | p[3] = (x >> 24) & 0xff; 131 | p[4] = (x >> 32) & 0xff; 132 | p[5] = (x >> 40) & 0xff; 133 | p[6] = (x >> 48) & 0xff; 134 | p[7] = (x >> 56) & 0xff; 135 | } 136 | #endif /* !HAVE_SYS_ENDIAN_H */ 137 | 138 | #endif /* !_SYSENDIAN_H_ */ 139 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/yescrypt-best.c: -------------------------------------------------------------------------------- 1 | #ifdef __SSE2__ 2 | #include "yescrypt-simd.c" 3 | #else 4 | #include "yescrypt-opt.c" 5 | #endif 6 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1-original/yescrypt-platform.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2013-2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #include 22 | 23 | #define HUGEPAGE_THRESHOLD (12 * 1024 * 1024) 24 | 25 | #ifdef __x86_64__ 26 | #define HUGEPAGE_SIZE (2 * 1024 * 1024) 27 | #else 28 | #undef HUGEPAGE_SIZE 29 | #endif 30 | 31 | static void * 32 | alloc_region(yescrypt_region_t * region, size_t size) 33 | { 34 | size_t base_size = size; 35 | uint8_t * base, * aligned; 36 | #ifdef MAP_ANON 37 | int flags = 38 | #ifdef MAP_NOCORE 39 | MAP_NOCORE | 40 | #endif 41 | MAP_ANON | MAP_PRIVATE; 42 | #if defined(MAP_HUGETLB) && defined(HUGEPAGE_SIZE) 43 | size_t new_size = size; 44 | const size_t hugepage_mask = (size_t)HUGEPAGE_SIZE - 1; 45 | if (size >= HUGEPAGE_THRESHOLD && size + hugepage_mask >= size) { 46 | flags |= MAP_HUGETLB; 47 | /* 48 | * Linux's munmap() fails on MAP_HUGETLB mappings if size is not a multiple of 49 | * huge page size, so let's round up to huge page size here. 50 | */ 51 | new_size = size + hugepage_mask; 52 | new_size &= ~hugepage_mask; 53 | } 54 | base = mmap(NULL, new_size, PROT_READ | PROT_WRITE, flags, -1, 0); 55 | if (base != MAP_FAILED) { 56 | base_size = new_size; 57 | } else 58 | if (flags & MAP_HUGETLB) { 59 | flags &= ~MAP_HUGETLB; 60 | base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0); 61 | } 62 | 63 | #else 64 | base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0); 65 | #endif 66 | if (base == MAP_FAILED) 67 | base = NULL; 68 | aligned = base; 69 | #elif defined(HAVE_POSIX_MEMALIGN) 70 | if ((errno = posix_memalign((void **)&base, 64, size)) != 0) 71 | base = NULL; 72 | aligned = base; 73 | #else 74 | base = aligned = NULL; 75 | if (size + 63 < size) { 76 | errno = ENOMEM; 77 | } else if ((base = malloc(size + 63)) != NULL) { 78 | aligned = base + 63; 79 | aligned -= (uintptr_t)aligned & 63; 80 | } 81 | #endif 82 | region->base = base; 83 | region->aligned = aligned; 84 | region->base_size = base ? base_size : 0; 85 | region->aligned_size = base ? size : 0; 86 | return aligned; 87 | } 88 | 89 | static inline void 90 | init_region(yescrypt_region_t * region) 91 | { 92 | region->base = region->aligned = NULL; 93 | region->base_size = region->aligned_size = 0; 94 | } 95 | 96 | static int 97 | free_region(yescrypt_region_t * region) 98 | { 99 | if (region->base) { 100 | #ifdef MAP_ANON 101 | if (munmap(region->base, region->base_size)) 102 | return -1; 103 | #else 104 | free(region->base); 105 | #endif 106 | } 107 | init_region(region); 108 | return 0; 109 | } 110 | 111 | int 112 | yescrypt_init_shared(yescrypt_shared_t * shared, 113 | const uint8_t * param, size_t paramlen, 114 | uint64_t N, uint32_t r, uint32_t p, 115 | yescrypt_init_shared_flags_t flags, 116 | uint8_t * buf, size_t buflen) 117 | { 118 | yescrypt_shared_t half1, half2; 119 | uint8_t salt[32]; 120 | 121 | if (flags & YESCRYPT_SHARED_PREALLOCATED) { 122 | if (!shared->aligned || !shared->aligned_size) 123 | return -1; 124 | } else { 125 | init_region(shared); 126 | } 127 | if (!param && !paramlen && !N && !r && !p && !buf && !buflen) 128 | return 0; 129 | 130 | if (yescrypt_kdf(NULL, shared, 131 | param, paramlen, NULL, 0, N, r, p, 0, 0, 132 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 133 | salt, sizeof(salt))) 134 | goto out; 135 | 136 | half1 = half2 = *shared; 137 | half1.aligned_size /= 2; 138 | half2.aligned += half1.aligned_size; 139 | half2.aligned_size = half1.aligned_size; 140 | N /= 2; 141 | 142 | if (p > 1 && yescrypt_kdf(&half1, &half2, 143 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 144 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_2, 145 | salt, sizeof(salt))) 146 | goto out; 147 | 148 | if (yescrypt_kdf(&half2, &half1, 149 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 150 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 151 | salt, sizeof(salt))) 152 | goto out; 153 | 154 | if (yescrypt_kdf(&half1, &half2, 155 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 156 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 157 | buf, buflen)) 158 | goto out; 159 | 160 | return 0; 161 | 162 | out: 163 | if (!(flags & YESCRYPT_SHARED_PREALLOCATED)) 164 | free_region(shared); 165 | return -1; 166 | } 167 | 168 | int 169 | yescrypt_free_shared(yescrypt_shared_t * shared) 170 | { 171 | return free_region(shared); 172 | } 173 | 174 | int 175 | yescrypt_init_local(yescrypt_local_t * local) 176 | { 177 | init_region(local); 178 | return 0; 179 | } 180 | 181 | int 182 | yescrypt_free_local(yescrypt_local_t * local) 183 | { 184 | return free_region(local); 185 | } 186 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2013,2014 Alexander Peslyak 2 | # All rights reserved. 3 | # 4 | # Redistribution and use in source and binary forms, with or without 5 | # modification, are permitted. 6 | # 7 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 8 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 10 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 11 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 12 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 13 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 14 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 15 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 16 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 17 | # SUCH DAMAGE. 18 | 19 | CC = gcc 20 | LD = $(CC) 21 | RM = rm -f 22 | OMPFLAGS = -fopenmp 23 | OMPFLAGS_MAYBE = $(OMPFLAGS) 24 | CFLAGS = -Wall -march=native -O2 -funroll-loops -fomit-frame-pointer $(OMPFLAGS_MAYBE) 25 | #CFLAGS = -Wall -march=native -O2 -fomit-frame-pointer $(OMPFLAGS_MAYBE) 26 | #CFLAGS = -Wall -O2 -fomit-frame-pointer $(OMPFLAGS_MAYBE) 27 | LDFLAGS = -s $(OMPFLAGS_MAYBE) 28 | 29 | PROJ = tests phc-test initrom userom tester 30 | OBJS_CORE = yescrypt-best.o 31 | OBJS_TESTS = $(OBJS_CORE) yescrypt-common.o sha256.o tests.o 32 | OBJS_TESTER = $(OBJS_CORE) yescrypt-common.o sha256.o tester.o 33 | OBJS_PHC = $(OBJS_CORE) yescrypt-common.o sha256.o phc-test.o 34 | OBJS_INITROM = $(OBJS_CORE) yescrypt-common.o sha256.o initrom.o 35 | OBJS_USEROM = $(OBJS_CORE) yescrypt-common.o sha256.o userom.o 36 | OBJS_RM = yescrypt-*.o 37 | 38 | all: $(PROJ) 39 | 40 | check: tests phc-test 41 | @echo 'Running main tests' 42 | @time ./tests | tee TESTS-OUT 43 | @diff -U0 TESTS-OK TESTS-OUT && echo PASSED || echo FAILED 44 | @if [ -e PHC-TEST-OK ]; then \ 45 | echo 'Running PHC tests'; \ 46 | time ./phc-test > PHC-TEST-OUT; \ 47 | cmp PHC-TEST-OK PHC-TEST-OUT && echo PASSED || echo FAILED; \ 48 | fi 49 | 50 | ref: 51 | $(MAKE) $(PROJ) OBJS_CORE=yescrypt-ref.o 52 | 53 | check-ref: 54 | $(MAKE) check OBJS_CORE=yescrypt-ref.o 55 | 56 | opt: 57 | $(MAKE) $(PROJ) OBJS_CORE=yescrypt-opt.o 58 | 59 | check-opt: 60 | $(MAKE) check OBJS_CORE=yescrypt-opt.o 61 | 62 | tests: $(OBJS_TESTS) 63 | $(LD) $(LDFLAGS) $(OBJS_TESTS) -o $@ 64 | 65 | phc-test.o: phc.c 66 | $(CC) -c $(CFLAGS) -DTEST phc.c -o $@ 67 | 68 | phc-test: $(OBJS_PHC) 69 | $(LD) $(LDFLAGS) $(OBJS_PHC) -o $@ 70 | 71 | tester.o: tester.c 72 | $(CC) -c $(CFLAGS) -DTEST tester.c -o $@ 73 | 74 | tester: $(OBJS_TESTER) 75 | $(LD) $(LDFLAGS) $(OBJS_TESTER) -o $@ 76 | 77 | initrom: $(OBJS_INITROM) 78 | $(LD) $(LDFLAGS) $(OBJS_INITROM) -o $@ 79 | 80 | userom: $(OBJS_USEROM) 81 | $(LD) $(LDFLAGS) $(OMPFLAGS) $(OBJS_USEROM) -o $@ 82 | 83 | userom.o: userom.c 84 | $(CC) -c $(CFLAGS) $(OMPFLAGS) $*.c 85 | 86 | .c.o: 87 | $(CC) -c $(CFLAGS) $*.c 88 | 89 | yescrypt-best.o: yescrypt-platform.c yescrypt-simd.c yescrypt-opt.c 90 | yescrypt-simd.o: yescrypt-platform.c 91 | yescrypt-opt.o: yescrypt-platform.c 92 | 93 | clean: 94 | $(RM) $(PROJ) 95 | $(RM) $(OBJS_TESTER) $(OBJS_TESTS) $(OBJS_PHC) $(OBJS_INITROM) $(OBJS_USEROM) 96 | $(RM) $(OBJS_RM) 97 | $(RM) TESTS-OUT PHC-TEST-OUT 98 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/PERFORMANCE-default: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Core i7-4770K 3.5 GHz + turbo (up to 3.7 GHz with all cores in use, 6 | 3.9 GHz with one core in use), HT is enabled (giving 8 logical CPUs), 7 | 32 GiB RAM (4x DDR3-1600, but the CPU has only 2 memory channels). 8 | The OS is Ubuntu 12.04.2. 9 | 10 | First, we need to configure the Linux system, as root. Grant our user 11 | account's group the privilege to access "huge pages" (2 MiB as opposed 12 | to x86's default 4 KiB pages): 13 | 14 | # sysctl -w vm.hugetlb_shm_group=1000 15 | 16 | (You may need to replace the "1000" with your user account's actual 17 | group id.) 18 | 19 | Let processes allocate up to 3 GiB in shared memory segments: 20 | 21 | # sysctl -w kernel.shmmax=3221225472 22 | 23 | Preallocate this much memory and 200 MiB more (to be potentially used 24 | for threads' "RAM" lookup tables) into 2 MiB pages (this will only work 25 | when there's a sufficiently large non-fragmented memory region, so is 26 | normally to be performed right upon system bootup): 27 | 28 | # sysctl -w vm.nr_hugepages=1636 29 | 30 | Now initialization of the ROM is possible: 31 | 32 | $ time ./initrom 33 | r=6 N=2^12 NROM=2^22 34 | Will use 3145728.00 KiB ROM 35 | 3072.00 KiB RAM 36 | Initializing ROM ... DONE (7b90baf9) 37 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 38 | 39 | real 0m2.017s 40 | user 0m14.957s 41 | sys 0m1.000s 42 | 43 | This took 2 seconds, and now we're able to quickly hash passwords from 44 | another process (this may be the authentication service): 45 | 46 | $ ./userom 47 | r=6 N=2^12 NROM=2^22 48 | Will use 3145728.00 KiB ROM 49 | 3072.00 KiB RAM 50 | ROM access frequency mask: 0x1 51 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 52 | Benchmarking 1 thread ... 53 | 354 c/s real, 357 c/s virtual (511 hashes in 1.44 seconds) 54 | Benchmarking 8 threads ... 55 | 1344 c/s real, 167 c/s virtual (1533 hashes in 1.14 seconds) 56 | 57 | Cleanup (remove the SysV shared memory segment holding the ROM and free 58 | up the preallocated 2 MiB pages): 59 | 60 | $ ipcrm -M 0x524f4d0a 61 | 62 | # sysctl -w vm.nr_hugepages=0 63 | 64 | Without explicit use of 2 MiB pages (that is, more likely with 4 KiB 65 | pages), the test programs above run fine as well, and actually this time 66 | they're almost as fast, although in some other cases we've observed much 67 | more of a difference (see PERFORMANCE-scaling-up). 68 | 69 | Here are the timings without explicit 2 MiB pages: 70 | 71 | $ time ./initrom 72 | r=6 N=2^12 NROM=2^22 73 | Will use 3145728.00 KiB ROM 74 | 3072.00 KiB RAM 75 | shmget: Cannot allocate memory 76 | Retrying without SHM_HUGETLB 77 | Initializing ROM ... DONE (7b90baf9) 78 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 79 | 80 | real 0m2.048s 81 | user 0m14.629s 82 | sys 0m1.204s 83 | 84 | $ ./userom 85 | r=6 N=2^12 NROM=2^22 86 | Will use 3145728.00 KiB ROM 87 | 3072.00 KiB RAM 88 | ROM access frequency mask: 0x1 89 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 90 | Benchmarking 1 thread ... 91 | 191 c/s real, 193 c/s virtual (255 hashes in 1.33 seconds) 92 | Benchmarking 8 threads ... 93 | 1332 c/s real, 167 c/s virtual (1785 hashes in 1.34 seconds) 94 | 95 | It might be possible to improve the single-thread speed seen here by 96 | including some warm-up in the program. Anyhow, the multi-threaded 97 | throughput is more relevant. 98 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/PERFORMANCE-scaling-down: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Dual Pentium 3, 1 GHz (an IBM workstation circa year 2000), running 6 | current Openwall GNU/*/Linux. ROM size scaled down to 112 MiB: 7 | 8 | First, we need to configure the Linux system, as root. 9 | 10 | Let processes allocate up to 112 MiB in shared memory segments: 11 | 12 | # sysctl -w kernel.shmmax=117440512 13 | 14 | Now initialization of the ROM is possible: 15 | 16 | $ time ./initrom 17 | r=7 N=2^11 NROM=2^17 18 | Will use 114688.00 KiB ROM 19 | 1792.00 KiB RAM 20 | shmget: Function not implemented 21 | Retrying without SHM_HUGETLB 22 | Initializing ROM ... DONE (0592b260) 23 | '$7X3$95..../....WZaPV7LSUEKMo34.$tWYLFCyQajL/uPib1HOiYrvEgz8HKPApUoMj4S6J.69' 24 | 25 | real 0m4.485s 26 | user 0m7.968s 27 | sys 0m0.504s 28 | 29 | This took under 5 seconds, and now we're able to (relatively) quickly 30 | hash passwords from another process: 31 | 32 | $ ./userom 33 | r=7 N=2^11 NROM=2^17 34 | Will use 114688.00 KiB ROM 35 | 1792.00 KiB RAM 36 | ROM access frequency mask: 0x1 37 | '$7X3$95..../....WZaPV7LSUEKMo34.$tWYLFCyQajL/uPib1HOiYrvEgz8HKPApUoMj4S6J.69' 38 | Benchmarking 1 thread ... 39 | 9 c/s real, 9 c/s virtual (15 hashes in 1.53 seconds) 40 | Benchmarking 2 threads ... 41 | 19 c/s real, 10 c/s virtual (45 hashes in 2.29 seconds) 42 | 43 | Scaling down of the RAM portion to achieve higher c/s rates as if we were 44 | going to use this Pentium 3 machine for an auth server (not recommended): 45 | 46 | $ ./userom 47 | r=7 N=2^7 NROM=2^17 48 | Will use 114688.00 KiB ROM 49 | 112.00 KiB RAM 50 | ROM access frequency mask: 0x1 51 | '$7X3$55..../....WZaPV7LSUEKMo34.$tioZe3w2turVdlZJOYE.TcxqF6a73TyPj227N/p6400' 52 | Benchmarking 1 thread ... 53 | 166 c/s real, 167 c/s virtual (255 hashes in 1.53 seconds) 54 | Benchmarking 2 threads ... 55 | 324 c/s real, 168 c/s virtual (765 hashes in 2.36 seconds) 56 | 57 | These speeds are comparable to optimized bcrypt code at the $2a$05 cost 58 | setting running on the same machine. 59 | 60 | Cleanup (remove the SysV shared memory segment holding the ROM): 61 | 62 | $ ipcrm -M 0x524f4d0a 63 | 64 | Without the ROM: 65 | 66 | $ ./userom 0 67 | r=8 N=2^7 NROM=2^0 68 | Will use 0.00 KiB ROM 69 | 128.00 KiB RAM 70 | '$7X3$56..../....WZaPV7LSUEKMo34.$aASx8ttzWhTYanMam7D7T4Gnqt8gtguH1lEdUN4Sj5/' 71 | Benchmarking 1 thread ... 72 | 166 c/s real, 166 c/s virtual (255 hashes in 1.53 seconds) 73 | Benchmarking 2 threads ... 74 | 331 c/s real, 168 c/s virtual (765 hashes in 2.31 seconds) 75 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/PERFORMANCE-scaling-up: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Dual Xeon E5-2670 2.6 GHz + turbo (up to 3.0 GHz with all cores in use, 6 | 3.3 GHz with few cores in use), 128 GiB RAM (8x DDR3-1600 ECC Reg). 7 | These CPUs have 8 cores and 4 memory channels each, for a total of 16 8 | physical cores, 32 logical CPUs (HT is enabled), and 8 memory channels. 9 | The OS is Scientific Linux 6.4 (same as RHEL 6.4). 10 | 11 | First, we need to configure the Linux system, as root. Grant our user 12 | account's group the privilege to access "huge pages" (2 MiB as opposed 13 | to x86's default 4 KiB pages): 14 | 15 | # sysctl -w vm.hugetlb_shm_group=1000 16 | 17 | (You may need to replace the "1000" with your user account's actual 18 | group id.) 19 | 20 | Let processes allocate up to 112 GiB in shared memory segments: 21 | 22 | # sysctl -w kernel.shmmax=120259084288 23 | 24 | Preallocate this much memory and 200 MiB more (to be potentially used 25 | for threads' "RAM" lookup tables) into 2 MiB pages (this will only work 26 | when there's a sufficiently large non-fragmented memory region, so is 27 | normally to be performed right upon system bootup): 28 | 29 | # sysctl -w vm.nr_hugepages=57444 30 | 31 | Now initialization of the ROM is possible: 32 | 33 | $ export GOMP_CPU_AFFINITY=0-31 34 | $ time ./initrom 112 1 35 | r=7 N=2^11 NROM=2^27 36 | Will use 117440512.00 KiB ROM 37 | 1792.00 KiB RAM 38 | Initializing ROM ... DONE (0e644812) 39 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 40 | 41 | real 0m41.881s 42 | user 11m14.147s 43 | sys 0m38.607s 44 | 45 | This took under 1 minute, and now we're able to quickly hash passwords 46 | from another process (this may be the authentication service): 47 | 48 | $ ./userom 112 1 49 | r=7 N=2^11 NROM=2^27 50 | Will use 117440512.00 KiB ROM 51 | 1792.00 KiB RAM 52 | ROM access frequency mask: 0x1 53 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 54 | Benchmarking 1 thread ... 55 | 408 c/s real, 412 c/s virtual (511 hashes in 1.25 seconds) 56 | Benchmarking 32 threads ... 57 | 7589 c/s real, 236 c/s virtual (7665 hashes in 1.01 seconds) 58 | 59 | This is 48.7 GB/s: 60 | 61 | 1792 KiB * 3.5 reads&writes * 7589 c/s * 1024/1000 = 48740565 KB/s 62 | 63 | When not using a ROM, the speed improves to: 64 | 65 | $ ./userom 0 2 66 | r=8 N=2^11 NROM=2^0 67 | Will use 0.00 KiB ROM 68 | 2048.00 KiB RAM 69 | '$7X3$96..../....WZaPV7LSUEKMo34.$yiVEyLf68agsa3VGSX7LClYXak8P/AQAoswcRRHBRt2' 70 | Benchmarking 1 thread ... 71 | 440 c/s real, 444 c/s virtual (511 hashes in 1.16 seconds) 72 | Benchmarking 32 threads ... 73 | 8207 c/s real, 257 c/s virtual (15841 hashes in 1.93 seconds) 74 | 75 | This is 60.2 GB/s: 76 | 77 | 1792 KiB * 4 reads&writes * 8207 c/s * 1024/1000 = 60239643 KB/s 78 | 79 | In both cases, we're not counting accesses that are expected to hit L1 80 | or L2 cache, which there are many of. We're, however, counting 81 | accesses that may be hitting L3 cache. 82 | 83 | The theoretical peak RAM access speed for this machine is: 84 | 85 | 1600 MT/s * 8 channels * 8 bytes = 102.4 GB/s 86 | 87 | (This speed is never reached in practice, not even in RAM benchmarks not 88 | involving any computation. On this machine, synthetic RAM benchmarks 89 | reach about 85 GB/s.) 90 | 91 | By the way, here's what our SysV shared memory segment looks like: 92 | 93 | $ ipcs 94 | 95 | ------ Shared Memory Segments -------- 96 | key shmid owner perms bytes nattch status 97 | 0x524f4d0a 360448 solar 640 120259084288 0 98 | 99 | The 120+ GB size corresponds to 112 GiB. 100 | 101 | Cleanup (remove the SysV shared memory segment holding the ROM and free 102 | up the preallocated 2 MiB pages): 103 | 104 | $ ipcrm -M 0x524f4d0a 105 | 106 | # sysctl -w vm.nr_hugepages=0 107 | 108 | Without explicit use of 2 MiB pages (that is, most likely with 4 KiB 109 | pages), the test programs above run fine as well, but slower, presumably 110 | mostly because of cache thrashing with page tables. ROM initialization 111 | time is about as good: 112 | 113 | $ time ./initrom 112 1 114 | r=7 N=2^11 NROM=2^27 115 | Will use 117440512.00 KiB ROM 116 | 1792.00 KiB RAM 117 | shmget: Cannot allocate memory 118 | Retrying without SHM_HUGETLB 119 | Initializing ROM ... DONE (0e644812) 120 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 121 | 122 | real 0m42.141s 123 | user 12m17.489s 124 | sys 8m33.598s 125 | 126 | However, password hashing speed while using that ROM on small pages is 127 | impacted badly: 128 | 129 | $ ./userom 112 1 130 | r=7 N=2^11 NROM=2^27 131 | Will use 117440512.00 KiB ROM 132 | 1792.00 KiB RAM 133 | ROM access frequency mask: 0x1 134 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 135 | Benchmarking 1 thread ... 136 | 157 c/s real, 158 c/s virtual (255 hashes in 1.62 seconds) 137 | Benchmarking 32 threads ... 138 | 1733 c/s real, 54 c/s virtual (1785 hashes in 1.03 seconds) 139 | 140 | Thus, at these ROM sizes the use of "huge pages" is a must - otherwise 141 | we're giving attackers (who would tune their systems) a 4x+ performance 142 | advantage. 143 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/README: -------------------------------------------------------------------------------- 1 | This yescrypt distribution is a work-in-progress. Its interfaces other 2 | than crypto_scrypt(), as well as their semantics, are subject to 3 | (incompatible) changes in future revisions. 4 | 5 | 6 | How to test yescrypt for proper operation. 7 | 8 | On a Unix-like system, invoke "make check". This will build and run a 9 | program called "tests", and check its output against the supplied file 10 | TESTS-OK. It will also build a program called "phc-test", and if a file 11 | called PHC-TEST-OK is present will run that program and check its output 12 | against that file's contents. If everything matches, each of these two 13 | sets of tests prints one word "PASSED", so there will be two such lines 14 | among "make check" output, one of them being the final line of output. 15 | 16 | We do most of our testing on Linux systems with gcc. The supplied 17 | Makefile assumes that you use gcc. 18 | 19 | 20 | ROM in SysV shared memory demo and benchmark. 21 | 22 | Also included with this version of yescrypt are "initrom" and "userom" 23 | demo programs. They're built by simply typing "make". Please refer to 24 | PERFORMANCE-* text files for examples of system configuration and 25 | running of these programs. 26 | 27 | 28 | Alternate code versions and make targets. 29 | 30 | Three implementations of yescrypt are included: reference, partially 31 | optimized (without use of SIMD), and fully optimized for x86/x86-64 32 | (with use of SIMD intrinsics). By default, one of the two optimized 33 | implementations is built as appropriate for the given machine. 34 | 35 | The reference implementation is unoptimized and is very slow, but it has 36 | simpler and shorter source code. Its purpose is to provide a simple 37 | human- and machine-readable specification that implementations intended 38 | for actual use should be tested against. It is deliberately mostly not 39 | optimized, and it is not meant to be used in production. 40 | 41 | There are two additional make targets similar to "make check": they are 42 | "make check-ref" and "make check-opt". These build and test the two 43 | included alternate code versions. 44 | 45 | Similarly, there are two make targets to build all of the programs along 46 | with either of the two alternate implementations. These are simply 47 | "make ref" and "make opt". After having used one of these, the 48 | "initrom" and "userom" programs will use that build's implementation. 49 | 50 | "make clean" may need to be run between making different builds. 51 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/initrom.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2013-2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #define YESCRYPT_FLAGS YESCRYPT_RW 22 | 23 | #define ROM_SHM_KEY 0x524f4d0a 24 | #define ROM_LOCAL_PARAM "change this before use" 25 | 26 | /* Maximum parallelism factor during ROM initialization */ 27 | #define YESCRYPT_PROM_SHM 32 28 | #define YESCRYPT_PROM_FILE 4 29 | 30 | //#define USE_HUGEPAGE 31 | 32 | #include 33 | #include 34 | #include /* for atoi() */ 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | #include "yescrypt.h" 43 | 44 | int main(int argc, const char * const *argv) 45 | { 46 | #if 0 47 | uint64_t rom_bytes = 112 * (1024ULL*1024*1024); 48 | uint64_t ram_bytes = 1 * (1024ULL*1024); 49 | #else 50 | uint64_t rom_bytes = 3 * (1024ULL*1024*1024); 51 | uint64_t ram_bytes = 2 * (1024ULL*1024); 52 | #endif 53 | uint32_t r, min_r; 54 | uint64_t NROM_log2, N_log2; 55 | int shmid; 56 | yescrypt_shared_t shared; 57 | uint8_t digest[4]; 58 | const char * rom_filename = NULL; 59 | int rom_fd; 60 | 61 | if (argc > 1) 62 | rom_bytes = atoi(argv[1]) * (1024ULL*1024*1024); 63 | if (argc > 2) 64 | ram_bytes = atoi(argv[2]) * (1024ULL*1024); 65 | if (argc > 3) 66 | rom_filename = argv[3]; 67 | 68 | if (!rom_bytes) { 69 | puts("Wrong ROM size requested"); 70 | return 1; 71 | } 72 | 73 | min_r = 5; 74 | if (rom_filename) 75 | min_r = 8 * 256; 76 | 77 | NROM_log2 = 0; 78 | while (((rom_bytes >> NROM_log2) & 0xff) == 0) 79 | NROM_log2++; 80 | r = rom_bytes >> (7 + NROM_log2); 81 | while (r < min_r && NROM_log2 > 0) { 82 | r <<= 1; 83 | NROM_log2--; 84 | } 85 | rom_bytes = (uint64_t)r << (7 + NROM_log2); 86 | 87 | N_log2 = 3; 88 | while ((r << (7 + N_log2)) < ram_bytes) 89 | N_log2++; 90 | ram_bytes = (uint64_t)r << (7 + N_log2); 91 | 92 | printf("r=%u N=2^%u NROM=2^%u\n", r, 93 | (unsigned int)N_log2, (unsigned int)NROM_log2); 94 | 95 | printf("Will use %.2f KiB ROM\n", rom_bytes / 1024.0); 96 | printf(" %.2f KiB RAM\n", ram_bytes / 1024.0); 97 | 98 | shared.aligned_size = rom_bytes; 99 | 100 | if (rom_filename) { 101 | rom_fd = open(rom_filename, O_CREAT|O_RDWR|O_EXCL, 102 | S_IRUSR|S_IRGRP|S_IWUSR); 103 | if (rom_fd < 0) { 104 | perror("open"); 105 | return 1; 106 | } 107 | if (ftruncate(rom_fd, rom_bytes)) { 108 | perror("ftruncate"); 109 | close(rom_fd); 110 | unlink(rom_filename); 111 | return 1; 112 | } 113 | 114 | int flags = 115 | #ifdef MAP_NOCORE 116 | MAP_NOCORE | 117 | #endif 118 | #if defined(MAP_HUGETLB) && defined(USE_HUGEPAGE) 119 | MAP_HUGETLB | 120 | #endif 121 | MAP_SHARED; 122 | void * p = mmap(NULL, rom_bytes, PROT_READ | PROT_WRITE, 123 | flags, rom_fd, 0); 124 | #if defined(MAP_HUGETLB) && defined(USE_HUGEPAGE) 125 | if (p == MAP_FAILED) 126 | p = mmap(NULL, rom_bytes, PROT_READ | PROT_WRITE, 127 | flags & ~MAP_HUGETLB, rom_fd, 0); 128 | #endif 129 | if (p == MAP_FAILED) { 130 | perror("mmap"); 131 | close(rom_fd); 132 | unlink(rom_filename); 133 | return 1; 134 | } 135 | close(rom_fd); 136 | shared.base = shared.aligned = p; 137 | } else { 138 | shmid = shmget(ROM_SHM_KEY, shared.aligned_size, 139 | #ifdef SHM_HUGETLB 140 | SHM_HUGETLB | 141 | #endif 142 | IPC_CREAT|IPC_EXCL | S_IRUSR|S_IRGRP|S_IWUSR); 143 | if (shmid == -1) { 144 | #ifdef SHM_HUGETLB 145 | perror("shmget"); 146 | puts("Retrying without SHM_HUGETLB"); 147 | shmid = shmget(ROM_SHM_KEY, shared.aligned_size, 148 | IPC_CREAT|IPC_EXCL | S_IRUSR|S_IRGRP|S_IWUSR); 149 | #endif 150 | if (shmid == -1) { 151 | perror("shmget"); 152 | return 1; 153 | } 154 | } 155 | 156 | shared.base = shared.aligned = shmat(shmid, NULL, 0); 157 | if (shared.base == (void *)-1) { 158 | int save_errno = errno; 159 | shmctl(shmid, IPC_RMID, NULL); 160 | errno = save_errno; 161 | perror("shmat"); 162 | return 1; 163 | } 164 | } 165 | 166 | printf("Initializing ROM ..."); 167 | fflush(stdout); 168 | if (yescrypt_init_shared(&shared, 169 | (uint8_t *)ROM_LOCAL_PARAM, strlen(ROM_LOCAL_PARAM), 170 | (uint64_t)1 << NROM_log2, r, 171 | rom_filename ? YESCRYPT_PROM_FILE : YESCRYPT_PROM_SHM, 172 | YESCRYPT_SHARED_PREALLOCATED, 173 | digest, sizeof(digest))) { 174 | puts(" FAILED"); 175 | if (rom_filename) 176 | unlink(rom_filename); 177 | return 1; 178 | } 179 | printf(" DONE (%02x%02x%02x%02x)\n", 180 | digest[0], digest[1], digest[2], digest[3]); 181 | 182 | { 183 | yescrypt_local_t local; 184 | const uint8_t *setting; 185 | uint8_t hash[128]; 186 | 187 | if (yescrypt_init_local(&local)) { 188 | puts("yescrypt_init_local() FAILED"); 189 | return 1; 190 | } 191 | 192 | setting = yescrypt_gensalt( 193 | N_log2, r, 1, YESCRYPT_FLAGS, 194 | (const uint8_t *)"binary data", 12); 195 | 196 | printf("'%s'\n", (char *)yescrypt_r(&shared, &local, 197 | (const uint8_t *)"pleaseletmein", 13, setting, 198 | hash, sizeof(hash))); 199 | } 200 | 201 | if (rom_filename && munmap(shared.base, rom_bytes)) { 202 | perror("munmap"); 203 | return 1; 204 | } 205 | 206 | return 0; 207 | } 208 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/phc.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2014,2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #define YESCRYPT_FLAGS YESCRYPT_RW 22 | #define YESCRYPT_BASE_N 8 23 | #define YESCRYPT_R 8 24 | #define YESCRYPT_P 1 25 | 26 | #include "yescrypt.h" 27 | 28 | #ifdef TEST 29 | static 30 | #endif 31 | int PHS(void *out, size_t outlen, const void *in, size_t inlen, 32 | const void *salt, size_t saltlen, unsigned int t_cost, unsigned int m_cost) 33 | { 34 | yescrypt_local_t local; 35 | int retval; 36 | 37 | if (yescrypt_init_local(&local)) 38 | return -1; 39 | retval = yescrypt_kdf(NULL, &local, in, inlen, salt, saltlen, 40 | (uint64_t)YESCRYPT_BASE_N << m_cost, YESCRYPT_R, YESCRYPT_P, 41 | t_cost, 0, YESCRYPT_FLAGS, out, outlen); 42 | if (yescrypt_free_local(&local)) 43 | return -1; 44 | return retval; 45 | } 46 | 47 | #ifdef TEST 48 | #include 49 | #include /* for sysconf() */ 50 | #include 51 | 52 | static void print_hex(const uint8_t *buf, size_t buflen, const char *sep) 53 | { 54 | size_t i; 55 | 56 | putchar('"'); 57 | for (i = 0; i < buflen; i++) 58 | printf("\\x%02x", buf[i]); 59 | printf("\"%s", sep); 60 | } 61 | 62 | static void print_PHS(const void *in, size_t inlen, 63 | const void *salt, size_t saltlen, unsigned int t_cost, unsigned int m_cost) 64 | { 65 | uint8_t dk[32]; 66 | 67 | printf("PHS("); 68 | print_hex(in, inlen, ", "); 69 | print_hex(salt, saltlen, ", "); 70 | printf("%u, %u) = ", t_cost, m_cost); 71 | 72 | if (PHS(dk, sizeof(dk), in, inlen, salt, saltlen, t_cost, m_cost)) { 73 | puts("FAILED"); 74 | return; 75 | } 76 | 77 | print_hex(dk, sizeof(dk), "\n"); 78 | } 79 | 80 | static void print_all_PHS(unsigned int t_cost, unsigned int m_cost) 81 | { 82 | clock_t clk_tck = sysconf(_SC_CLK_TCK); 83 | struct tms start_tms, end_tms; 84 | clock_t start = times(&start_tms), end, start_v, end_v; 85 | const int count = 0x102; 86 | size_t inlen; 87 | int i, j; 88 | 89 | inlen = 0; 90 | for (i = 0; i < count; i++) { 91 | uint8_t in[128], salt[16]; 92 | 93 | for (j = 0; j < inlen; j++) 94 | in[j] = (i + j) & 0xff; 95 | for (j = 0; j < sizeof(salt); j++) 96 | salt[j] = ~(i + j) & 0xff; 97 | 98 | print_PHS(in, inlen, salt, sizeof(salt), t_cost, m_cost); 99 | 100 | if (++inlen > sizeof(in)) 101 | inlen = 0; 102 | } 103 | 104 | end = times(&end_tms); 105 | 106 | start_v = start_tms.tms_utime + start_tms.tms_stime + 107 | start_tms.tms_cutime + start_tms.tms_cstime; 108 | end_v = end_tms.tms_utime + end_tms.tms_stime + 109 | end_tms.tms_cutime + end_tms.tms_cstime; 110 | 111 | if (end == start) 112 | end++; 113 | if (end_v == start_v) 114 | end_v++; 115 | 116 | fprintf(stderr, "m_cost=%u (%.0f KiB), t_cost=%u\n" 117 | "%llu c/s real, %llu c/s virtual (%llu hashes in %.2f seconds)\n", 118 | m_cost, (YESCRYPT_BASE_N << m_cost) * YESCRYPT_R / 8.0, t_cost, 119 | (unsigned long long)count * clk_tck / (end - start), 120 | (unsigned long long)count * clk_tck / (end_v - start_v), 121 | (unsigned long long)count, (double)(end - start) / clk_tck); 122 | } 123 | 124 | int main(int argc, char *argv[]) 125 | { 126 | #if 0 127 | setvbuf(stdout, NULL, _IOLBF, 0); 128 | #endif 129 | 130 | print_all_PHS(0, 0); 131 | print_all_PHS(0, 7); 132 | print_all_PHS(0, 8); 133 | print_all_PHS(1, 8); 134 | print_all_PHS(2, 8); 135 | print_all_PHS(3, 8); 136 | print_all_PHS(0, 11); 137 | 138 | return 0; 139 | } 140 | #endif 141 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/sha256.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2005,2007,2009 Colin Percival 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 | * SUCH DAMAGE. 25 | * 26 | * $FreeBSD: src/lib/libmd/sha256.h,v 1.2 2006/01/17 15:35:56 phk Exp $ 27 | */ 28 | 29 | #ifndef _SHA256_H_ 30 | #define _SHA256_H_ 31 | 32 | #include 33 | 34 | #include 35 | 36 | typedef struct SHA256Context { 37 | uint32_t state[8]; 38 | uint32_t count[2]; 39 | unsigned char buf[64]; 40 | } SHA256_CTX; 41 | 42 | typedef struct HMAC_SHA256Context { 43 | SHA256_CTX ictx; 44 | SHA256_CTX octx; 45 | } HMAC_SHA256_CTX; 46 | 47 | void SHA256_Init(SHA256_CTX *); 48 | void SHA256_Update(SHA256_CTX *, const void *, size_t); 49 | void SHA256_Final(unsigned char [32], SHA256_CTX *); 50 | void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); 51 | void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); 52 | void HMAC_SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); 53 | 54 | /** 55 | * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): 56 | * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and 57 | * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). 58 | */ 59 | void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, 60 | uint64_t, uint8_t *, size_t); 61 | 62 | #endif /* !_SHA256_H_ */ 63 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/sysendian.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2007-2009 Colin Percival 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 | * SUCH DAMAGE. 25 | * 26 | * This file was originally written by Colin Percival as part of the Tarsnap 27 | * online backup system. 28 | */ 29 | #ifndef _SYSENDIAN_H_ 30 | #define _SYSENDIAN_H_ 31 | 32 | /* If we don't have be64enc, the we have isn't usable. */ 33 | #if !HAVE_DECL_BE64ENC 34 | #undef HAVE_SYS_ENDIAN_H 35 | #endif 36 | 37 | #ifdef HAVE_SYS_ENDIAN_H 38 | 39 | #include 40 | 41 | #else 42 | 43 | #include 44 | 45 | static inline uint32_t 46 | be32dec(const void *pp) 47 | { 48 | const uint8_t *p = (uint8_t const *)pp; 49 | 50 | return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + 51 | ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); 52 | } 53 | 54 | static inline void 55 | be32enc(void *pp, uint32_t x) 56 | { 57 | uint8_t * p = (uint8_t *)pp; 58 | 59 | p[3] = x & 0xff; 60 | p[2] = (x >> 8) & 0xff; 61 | p[1] = (x >> 16) & 0xff; 62 | p[0] = (x >> 24) & 0xff; 63 | } 64 | 65 | static inline uint64_t 66 | be64dec(const void *pp) 67 | { 68 | const uint8_t *p = (uint8_t const *)pp; 69 | 70 | return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + 71 | ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + 72 | ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + 73 | ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); 74 | } 75 | 76 | static inline void 77 | be64enc(void *pp, uint64_t x) 78 | { 79 | uint8_t * p = (uint8_t *)pp; 80 | 81 | p[7] = x & 0xff; 82 | p[6] = (x >> 8) & 0xff; 83 | p[5] = (x >> 16) & 0xff; 84 | p[4] = (x >> 24) & 0xff; 85 | p[3] = (x >> 32) & 0xff; 86 | p[2] = (x >> 40) & 0xff; 87 | p[1] = (x >> 48) & 0xff; 88 | p[0] = (x >> 56) & 0xff; 89 | } 90 | 91 | static inline uint32_t 92 | le32dec(const void *pp) 93 | { 94 | const uint8_t *p = (uint8_t const *)pp; 95 | 96 | return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + 97 | ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); 98 | } 99 | 100 | static inline void 101 | le32enc(void *pp, uint32_t x) 102 | { 103 | uint8_t * p = (uint8_t *)pp; 104 | 105 | p[0] = x & 0xff; 106 | p[1] = (x >> 8) & 0xff; 107 | p[2] = (x >> 16) & 0xff; 108 | p[3] = (x >> 24) & 0xff; 109 | } 110 | 111 | static inline uint64_t 112 | le64dec(const void *pp) 113 | { 114 | const uint8_t *p = (uint8_t const *)pp; 115 | 116 | return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + 117 | ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + 118 | ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + 119 | ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); 120 | } 121 | 122 | static inline void 123 | le64enc(void *pp, uint64_t x) 124 | { 125 | uint8_t * p = (uint8_t *)pp; 126 | 127 | p[0] = x & 0xff; 128 | p[1] = (x >> 8) & 0xff; 129 | p[2] = (x >> 16) & 0xff; 130 | p[3] = (x >> 24) & 0xff; 131 | p[4] = (x >> 32) & 0xff; 132 | p[5] = (x >> 40) & 0xff; 133 | p[6] = (x >> 48) & 0xff; 134 | p[7] = (x >> 56) & 0xff; 135 | } 136 | #endif /* !HAVE_SYS_ENDIAN_H */ 137 | 138 | #endif /* !_SYSENDIAN_H_ */ 139 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/yescrypt-best.c: -------------------------------------------------------------------------------- 1 | #ifdef __SSE2__ 2 | #include "yescrypt-simd.c" 3 | #else 4 | #include "yescrypt-opt.c" 5 | #endif 6 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/yescrypt-platform.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2013-2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #include 22 | 23 | #define HUGEPAGE_THRESHOLD (12 * 1024 * 1024) 24 | 25 | #ifdef __x86_64__ 26 | #define HUGEPAGE_SIZE (2 * 1024 * 1024) 27 | #else 28 | #undef HUGEPAGE_SIZE 29 | #endif 30 | 31 | static void * 32 | alloc_region(yescrypt_region_t * region, size_t size) 33 | { 34 | size_t base_size = size; 35 | uint8_t * base, * aligned; 36 | #ifdef MAP_ANON 37 | int flags = 38 | #ifdef MAP_NOCORE 39 | MAP_NOCORE | 40 | #endif 41 | MAP_ANON | MAP_PRIVATE; 42 | #if defined(MAP_HUGETLB) && defined(HUGEPAGE_SIZE) 43 | size_t new_size = size; 44 | const size_t hugepage_mask = (size_t)HUGEPAGE_SIZE - 1; 45 | if (size >= HUGEPAGE_THRESHOLD && size + hugepage_mask >= size) { 46 | flags |= MAP_HUGETLB; 47 | /* 48 | * Linux's munmap() fails on MAP_HUGETLB mappings if size is not a multiple of 49 | * huge page size, so let's round up to huge page size here. 50 | */ 51 | new_size = size + hugepage_mask; 52 | new_size &= ~hugepage_mask; 53 | } 54 | base = mmap(NULL, new_size, PROT_READ | PROT_WRITE, flags, -1, 0); 55 | if (base != MAP_FAILED) { 56 | base_size = new_size; 57 | } else 58 | if (flags & MAP_HUGETLB) { 59 | flags &= ~MAP_HUGETLB; 60 | base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0); 61 | } 62 | 63 | #else 64 | base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0); 65 | #endif 66 | if (base == MAP_FAILED) 67 | base = NULL; 68 | aligned = base; 69 | #elif defined(HAVE_POSIX_MEMALIGN) 70 | if ((errno = posix_memalign((void **)&base, 64, size)) != 0) 71 | base = NULL; 72 | aligned = base; 73 | #else 74 | base = aligned = NULL; 75 | if (size + 63 < size) { 76 | errno = ENOMEM; 77 | } else if ((base = malloc(size + 63)) != NULL) { 78 | aligned = base + 63; 79 | aligned -= (uintptr_t)aligned & 63; 80 | } 81 | #endif 82 | region->base = base; 83 | region->aligned = aligned; 84 | region->base_size = base ? base_size : 0; 85 | region->aligned_size = base ? size : 0; 86 | return aligned; 87 | } 88 | 89 | static inline void 90 | init_region(yescrypt_region_t * region) 91 | { 92 | region->base = region->aligned = NULL; 93 | region->base_size = region->aligned_size = 0; 94 | } 95 | 96 | static int 97 | free_region(yescrypt_region_t * region) 98 | { 99 | if (region->base) { 100 | #ifdef MAP_ANON 101 | if (munmap(region->base, region->base_size)) 102 | return -1; 103 | #else 104 | free(region->base); 105 | #endif 106 | } 107 | init_region(region); 108 | return 0; 109 | } 110 | 111 | int 112 | yescrypt_init_shared(yescrypt_shared_t * shared, 113 | const uint8_t * param, size_t paramlen, 114 | uint64_t N, uint32_t r, uint32_t p, 115 | yescrypt_init_shared_flags_t flags, 116 | uint8_t * buf, size_t buflen) 117 | { 118 | yescrypt_shared_t half1, half2; 119 | uint8_t salt[32]; 120 | 121 | if (flags & YESCRYPT_SHARED_PREALLOCATED) { 122 | if (!shared->aligned || !shared->aligned_size) 123 | return -1; 124 | } else { 125 | init_region(shared); 126 | } 127 | if (!param && !paramlen && !N && !r && !p && !buf && !buflen) 128 | return 0; 129 | 130 | if (yescrypt_kdf(NULL, shared, 131 | param, paramlen, NULL, 0, N, r, p, 0, 0, 132 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 133 | salt, sizeof(salt))) 134 | goto out; 135 | 136 | half1 = half2 = *shared; 137 | half1.aligned_size /= 2; 138 | half2.aligned += half1.aligned_size; 139 | half2.aligned_size = half1.aligned_size; 140 | N /= 2; 141 | 142 | if (p > 1 && yescrypt_kdf(&half1, &half2, 143 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 144 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_2, 145 | salt, sizeof(salt))) 146 | goto out; 147 | 148 | if (yescrypt_kdf(&half2, &half1, 149 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 150 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 151 | salt, sizeof(salt))) 152 | goto out; 153 | 154 | if (yescrypt_kdf(&half1, &half2, 155 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 156 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 157 | buf, buflen)) 158 | goto out; 159 | 160 | return 0; 161 | 162 | out: 163 | if (!(flags & YESCRYPT_SHARED_PREALLOCATED)) 164 | free_region(shared); 165 | return -1; 166 | } 167 | 168 | int 169 | yescrypt_free_shared(yescrypt_shared_t * shared) 170 | { 171 | return free_region(shared); 172 | } 173 | 174 | int 175 | yescrypt_init_local(yescrypt_local_t * local) 176 | { 177 | init_region(local); 178 | return 0; 179 | } 180 | 181 | int 182 | yescrypt_free_local(yescrypt_local_t * local) 183 | { 184 | return free_region(local); 185 | } 186 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-0.7.1/yescrypt-ref.h: -------------------------------------------------------------------------------- 1 | #ifndef YESCRYPT_REF_H 2 | #define YESCRYPT_REF_H 3 | 4 | extern void pwxform(uint32_t * B, const uint32_t * S); 5 | extern void salsa20_8(uint32_t B[16]); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /reference/yescrypt-0.7.1/yescrypt/yescrypt-phc.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/defuse/yescrypt/6548e8b4c5c70505a595bdc3e947831f1d6390eb/reference/yescrypt-0.7.1/yescrypt/yescrypt-phc.pdf -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/CHANGES: -------------------------------------------------------------------------------- 1 | Changes made between 0.7.1 (2015/01/31) and 0.8.1 (2015/10/25). 2 | 3 | pwxform became stateful, through writes to its S-boxes. This further 4 | discourages TMTO attacks on yescrypt as a whole, as well as on pwxform 5 | S-boxes separately. It also increases the total size of the S-boxes by 6 | a factor of 1.5 (8 KiB to 12 KiB by default) and it puts the previously 7 | mostly idle L1 cache write ports on CPUs to use. 8 | 9 | Salsa20/8 in BlockMix_pwxform has been replaced with Salsa20/2. 10 | 11 | An extra HMAC-SHA256 update of the password buffer (which is eventually 12 | passed into the final PBKDF2 invocation) is now performed right after 13 | the pwxform S-boxes initialization. 14 | 15 | Nloop_rw rounding has been adjusted to be the same as Nloop_all's. 16 | This avoids an unnecessary invocation of SMix2 with Nloop = 2, which 17 | would otherwise have occurred in some cases. 18 | 19 | t is now halved per hash upgrade (rather than reset to 0 right away on 20 | the very first upgrade, like it was in 0.7.1). 21 | 22 | Minor corrections and improvements to the specification and the code 23 | have been made. 24 | 25 | 26 | Changes made between 0.6.4 (2015/01/30) and 0.7.1 (2015/01/31). 27 | 28 | The YESCRYPT_PARALLEL_SMIX and YESCRYPT_PWXFORM flags have been removed, 29 | with the corresponding functionality enabled along with the YESCRYPT_RW 30 | flag. This change has simplified the SIMD implementation a little bit 31 | (eliminating specialized code for some flag combinations that are no 32 | longer possible), and it should help simplify documentation, analysis, 33 | testing, and benchmarking (fewer combinations of settings to test). 34 | 35 | Adjustments to pre- and post-hashing have been made to address subtle 36 | issues and non-intuitive behavior, as well as in some cases to reduce 37 | impact of garbage collector attacks. 38 | 39 | Support for hash upgrades has been added (the g parameter). 40 | 41 | Extra tests have been written and test vectors re-generated. 42 | 43 | 44 | Changes made between 0.5.2 (2014/03/31) and 0.6.4 (2015/01/30). 45 | 46 | Dropped support for ROM access frequency mask since it made little sense 47 | when supporting only one ROM at a time. (It'd make sense with two ROMs, 48 | for simultaneous use of a ROM-in-RAM and a ROM-on-SSD. With just one 49 | ROM, the mask could still be used for a ROM-on-SSD, but only in lieu of 50 | a ROM-in-RAM, which would arguably be unreasonable.) 51 | 52 | Simplified the API by having it accept NULL for the "shared" parameter 53 | to indicate no ROM in use. (Previously, a dummy "shared" structure had 54 | to be created.) 55 | 56 | Completed the specification of pwxform, BlockMix_pwxform, Salsa20 SIMD 57 | shuffling, and potential endianness conversion. (No change to these has 58 | been made - they have just been specified in the included document more 59 | completely.) 60 | 61 | Provided rationale for the default compile-time settings for pwxform. 62 | 63 | Revised the reference and optimized implementations' source code to more 64 | closely match the current specification document in terms of identifier 65 | names, compile-time constant expressions, source code comments, and in 66 | some cases the ordering of source code lines. None of these changes 67 | affect the computed hash values, hence the test vectors have remained 68 | the same. 69 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/README: -------------------------------------------------------------------------------- 1 | These are some of the programs written and used during design and 2 | development of yescrypt in order to evaluate possible design decisions 3 | and make the better ones. Also included are text files with output of 4 | some of these programs. 5 | 6 | sim-at is a numerical simulation of four different variations of the 7 | first loop in SMix, estimating the resulting ASIC area-time costs for 8 | the attacker, as well as other properties. (One of the four options was 9 | chosen for the current implementation as a result.) 10 | 11 | sim-normat computes normalized area-time costs (for the same defensive 12 | running time) for the different variations of SMix at different points 13 | in time (iterations of SMix's second loop). It has helped confirm 14 | optimal stop points for different modes of yescrypt (these are now 15 | chosen for t = 0), as well as choose reasonable stop points for higher 16 | values of t considering to what extent less optimal those are. 17 | 18 | sim-tmto is an implementation of a time-memory tradeoff (TMTO) attack on 19 | a modification to SMix's second loop designed to discourage such TMTOs. 20 | It shows to what extent that modification is effective against at least 21 | this particular attack. (The corresponding modification is implemented 22 | in yescrypt. The YESCRYPT_RW flag enables it, although it also affects 23 | SMix's first loop, which likely has an even greater effect against TMTO. 24 | This extra effect of YESCRYPT_RW is not simulated in this program.) 25 | 26 | analyze is a program to analyze the distribution of values of bytes, 27 | 16-bit words, and 32-bit words in yescrypt memory dumps, such as in 28 | those produced with userom.c's "#define DUMP_LOCAL". It was used to 29 | confirm that pwxform retains sufficient entropy and doesn't introduce 30 | significant biases. For stress-testing, dumps were made not only at 31 | yescrypt's usual settings, but also at unusually low and ridiculously 32 | high pwxform round counts. 33 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/analyze.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | static void analyze(unsigned char *Vc, size_t n) 7 | { 8 | static uint64_t Vmap32[2][0x100000000 / 64]; 9 | static uint64_t Vmap16[4][2][0x10000 / 64]; 10 | static int called; 11 | uint32_t *Vi = (uint32_t *)Vc; 12 | size_t i; 13 | size_t counts[0x100], min, max, diff32[2], diff16[4][2], sum; 14 | 15 | fprintf(stderr, "n = %llu\n", (unsigned long long)n); 16 | 17 | memset(counts, 0, sizeof(counts)); 18 | for (i = 0; i < n; i++) 19 | counts[Vc[i]]++; 20 | min = ~0UL; max = 0; 21 | for (i = 0; i < 0x100; i++) { 22 | if (min > counts[i]) 23 | min = counts[i]; 24 | if (max < counts[i]) 25 | max = counts[i]; 26 | } 27 | fprintf(stderr, "min = %llu max = %llu" 28 | " (min+max)/2 = %.1f (expected %.1f)\n", 29 | (unsigned long long)min, (unsigned long long)max, 30 | (double)(min + max) / 2.0, (double)n / 0x100); 31 | 32 | n /= sizeof(uint32_t); 33 | /* Assume the statics are zero on first call */ 34 | if (called) { 35 | memset(Vmap32, 0, sizeof(Vmap32)); 36 | memset(Vmap16, 0, sizeof(Vmap16)); 37 | } 38 | called = 1; 39 | memset(diff32, 0, sizeof(diff32)); 40 | memset(diff16, 0, sizeof(diff16)); 41 | for (i = 0; i < n; i++) { 42 | uint32_t x = Vi[i]; 43 | uint32_t lo = x & 0xffff; 44 | uint32_t hi = x >> 16; 45 | uint64_t * v = &Vmap32[i & 1][x / 64]; 46 | if (!(*v & ((uint64_t)1 << (x % 64)))) 47 | diff32[i & 1]++; 48 | *v |= (uint64_t)1 << (x % 64); 49 | v = &Vmap16[i & 3][0][lo / 64]; 50 | if (!(*v & ((uint64_t)1 << (lo % 64)))) 51 | diff16[i & 3][0]++; 52 | *v |= (uint64_t)1 << (lo % 64); 53 | v = &Vmap16[i & 3][1][hi / 64]; 54 | if (!(*v & ((uint64_t)1 << (hi % 64)))) 55 | diff16[i & 3][1]++; 56 | *v |= (uint64_t)1 << (hi % 64); 57 | } 58 | sum = 0; 59 | for (i = 0; i < 4; i++) 60 | sum += diff16[i][0] + diff16[i][1]; 61 | fprintf(stderr, 62 | "diff32 = %llu %llu" 63 | " (expected %.1f)\n" 64 | "diff16 = %llu %llu %llu %llu %llu %llu %llu %llu avg = %.1f" 65 | " (expected %.1f)\n", 66 | (unsigned long long)diff32[0], (unsigned long long)diff32[1], 67 | (1ULL<<32) * (1.0 - pow(((1ULL<<32) - 1.0) / (1ULL<<32), n / 2.0)), 68 | (unsigned long long)diff16[0][0], (unsigned long long)diff16[0][1], 69 | (unsigned long long)diff16[1][0], (unsigned long long)diff16[1][1], 70 | (unsigned long long)diff16[2][0], (unsigned long long)diff16[2][1], 71 | (unsigned long long)diff16[3][0], (unsigned long long)diff16[3][1], 72 | sum / 8.0, 73 | 0x10000 * (1.0 - pow((0x10000 - 1.0) / 0x10000, n / 4.0))); 74 | } 75 | 76 | int main(void) 77 | { 78 | static unsigned char V[0x10000000]; 79 | size_t n; 80 | 81 | n = fread(V, 1, sizeof(V), stdin); 82 | if (ferror(stdin)) { 83 | perror("fread"); 84 | return 1; 85 | } 86 | 87 | analyze(V, n); 88 | 89 | return 0; 90 | } 91 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-at-output.txt: -------------------------------------------------------------------------------- 1 | classic 2 | B' = 292735ce775aaef5 3 | t_cost = 2097152 4 | at_cost1 = 1073741824 at_cost2 = 549755813888 at_cost = 550829555712 5 | at_cost1/t = 512 at_cost2/t = 262144 at_cost/t = 262656 6 | total: nhits=663284 (63.26%) mhits=9 7 | 8 | loop1_pow2(N2 = N/1) 9 | loop1: nhits=595349 (56.78%) mhits=10 10 | B' = d9247fb08f9e807c 11 | t_cost = 2097152 12 | at_cost1 = 183251937963 at_cost2 = 549755813888 at_cost = 733007751851 13 | at_cost1/t = 87381 at_cost2/t = 262144 at_cost/t = 349525 14 | total: nhits=882412 (84.15%) mhits=13 15 | 16 | loop1_pow2(N2 = N/3) 17 | loop1: nhits=595349 (56.78%) mhits=10 18 | B' = 89be57ce3a548730 19 | t_cost = 1398101 20 | at_cost1 = 183251937963 at_cost2 = 183251763200 at_cost = 366503701163 21 | at_cost1/t = 131072 at_cost2/t = 131072 at_cost/t = 262144 22 | total: nhits=724167 (69.06%) mhits=11 23 | 24 | loop1_wrap(N2 = N/1) 25 | loop1: nhits=456640 (43.55%) mhits=24 26 | B' = b7283d0ff61c6599 27 | t_cost = 2097152 28 | at_cost1 = 274877644800 at_cost2 = 549755813888 at_cost = 824633458688 29 | at_cost1/t = 131072 at_cost2/t = 262144 at_cost/t = 393216 30 | total: nhits=830413 (79.19%) mhits=24 31 | 32 | loop1_wrap(N2 = N/2) 33 | loop1: nhits=456640 (43.55%) mhits=24 34 | B' = d2070a62b8aaaadd 35 | t_cost = 1572864 36 | at_cost1 = 274877644800 at_cost2 = 274877906944 at_cost = 549755551744 37 | at_cost1/t = 174762 at_cost2/t = 174763 at_cost/t = 349525 38 | total: nhits=689410 (65.75%) mhits=24 39 | 40 | loop1_mod(N2 = N/1) 41 | loop1: nhits=524257 (50.00%) mhits=21 42 | B' = 2365d32db26bfc21 43 | t_cost = 2097152 44 | at_cost1 = 274877644800 at_cost2 = 549755813888 at_cost = 824633458688 45 | at_cost1/t = 131072 at_cost2/t = 262144 at_cost/t = 393216 46 | total: nhits=855632 (81.60%) mhits=22 47 | 48 | loop1_mod(N2 = N/2) 49 | loop1: nhits=524257 (50.00%) mhits=21 50 | B' = 53d65e2fe1ff8ddd 51 | t_cost = 1572864 52 | at_cost1 = 274877644800 at_cost2 = 274877906944 at_cost = 549755551744 53 | at_cost1/t = 174762 at_cost2/t = 174763 at_cost/t = 349525 54 | total: nhits=730298 (69.65%) mhits=22 55 | 56 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-at.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | enum { 7 | N = 0x100000, 8 | B = 0x0b0b0b0b 9 | }; 10 | 11 | static uint32_t t_cost; 12 | static double at_cost1, at_cost2; 13 | static uint32_t hits[N], nhits, mhits; 14 | 15 | static uint64_t V[N]; 16 | 17 | static uint64_t H(uint64_t x) 18 | { 19 | MD5_CTX ctx; 20 | union { 21 | uint64_t i; 22 | unsigned char c[MD5_DIGEST_LENGTH]; 23 | } y; 24 | 25 | t_cost++; 26 | 27 | MD5_Init(&ctx); 28 | MD5_Update(&ctx, &x, sizeof(x)); 29 | MD5_Final(y.c, &ctx); 30 | 31 | return y.i; 32 | } 33 | 34 | static void count_hits(void) 35 | { 36 | uint32_t i; 37 | 38 | nhits = mhits = 0; 39 | for (i = 0; i < N; i++) { 40 | if (hits[i]) 41 | nhits++; 42 | if (hits[i] > mhits) 43 | mhits = hits[i]; 44 | } 45 | } 46 | 47 | static void print_hits(const char *title) 48 | { 49 | printf("%s: nhits=%u (%.2f%%) mhits=%u\n", 50 | title, nhits, 100.0 * nhits / N, mhits); 51 | } 52 | 53 | static void print_costs(uint64_t Bout) 54 | { 55 | printf( 56 | "B' = %16llx\n" 57 | "t_cost = %u\n" 58 | "at_cost1 = %.0f " 59 | "at_cost2 = %.0f " 60 | "at_cost = %.0f\n" 61 | "at_cost1/t = %.0f " 62 | "at_cost2/t = %.0f " 63 | "at_cost/t = %.0f\n", 64 | Bout, 65 | t_cost, at_cost1, at_cost2, at_cost1 + at_cost2, 66 | at_cost1 / t_cost, at_cost2 / t_cost, (at_cost1 + at_cost2) / t_cost); 67 | } 68 | 69 | static void smix_classic(void) 70 | { 71 | uint64_t X = B; 72 | uint32_t i, j; 73 | 74 | puts("classic"); 75 | 76 | t_cost = 0; 77 | 78 | for (i = 0; i < N; i++) { 79 | hits[i] = 0; 80 | 81 | V[i] = X; 82 | X = H(X); 83 | } 84 | 85 | at_cost1 = N * sqrt(N); /* sqrt(N) parallel cores attack with extreme recursion */ 86 | at_cost2 = 0; 87 | 88 | for (i = 0; i < N; i++) { 89 | j = X % N; 90 | X = H(X ^ V[j]); 91 | 92 | hits[j]++; 93 | at_cost2 += N; /* 1 time * N area */ 94 | } 95 | 96 | count_hits(); 97 | 98 | at_cost2 /= 2; /* extreme TMTO */ 99 | 100 | print_costs(X); 101 | print_hits("total"); 102 | puts(""); 103 | } 104 | 105 | static void smix_loop1_pow2(uint32_t N2div) 106 | { 107 | uint64_t X = B; 108 | uint32_t i, j, n, N2; 109 | 110 | printf("loop1_pow2(N2 = N/%u)\n", N2div); 111 | 112 | t_cost = 0; 113 | at_cost1 = at_cost2 = 0; 114 | 115 | n = 1; 116 | for (i = 0; i < N; i++) { 117 | V[i] = X; 118 | 119 | hits[i] = 0; 120 | if (i > 1) { 121 | if ((i & (i - 1)) == 0) 122 | n <<= 1; 123 | j = (X & (n - 1)) + (i - n); 124 | if (j >= i) 125 | fprintf(stderr, "Bad j = %08x\n", j); 126 | hits[j]++; 127 | 128 | X ^= V[j]; 129 | } 130 | 131 | X = H(X); 132 | 133 | at_cost1 += n; /* 1 time * n area */ 134 | } 135 | 136 | count_hits(); 137 | print_hits("loop1"); 138 | 139 | N2 = N / N2div; 140 | for (i = 0; i < N2; i++) { 141 | j = X % N; 142 | X = H(X ^ V[j]); 143 | 144 | hits[j]++; 145 | at_cost2 += N; /* 1 time * N area */ 146 | } 147 | 148 | count_hits(); 149 | 150 | at_cost1 /= 2; /* extreme TMTO, probably impossible */ 151 | at_cost2 /= 2; /* extreme TMTO, probably impossible */ 152 | 153 | print_costs(X); 154 | print_hits("total"); 155 | puts(""); 156 | } 157 | 158 | static uint32_t 159 | wrap(uint64_t x, uint32_t n) 160 | { 161 | uint64_t a = (x + n) & (n - 1); 162 | uint64_t b = x & n; 163 | uint64_t c = (x << 1) & n; 164 | return ((a << 1) + b + c) >> 2; 165 | } 166 | 167 | static void smix_loop1_wrap(uint32_t N2div) 168 | { 169 | uint64_t X = B; 170 | uint32_t i, j, N2; 171 | 172 | printf("loop1_wrap(N2 = N/%u)\n", N2div); 173 | 174 | t_cost = 0; 175 | at_cost1 = at_cost2 = 0; 176 | 177 | for (i = 0; i < N; i++) { 178 | V[i] = X; 179 | 180 | hits[i] = 0; 181 | if (i > 1) { 182 | j = wrap(X, i); 183 | if (j >= i) 184 | fprintf(stderr, "Bad j = %08x\n", j); 185 | hits[j]++; 186 | 187 | X ^= V[j]; 188 | } 189 | 190 | X = H(X); 191 | 192 | at_cost1 += i; /* 1 time * i area (although not all j's in [0,i-1] are possible for a given i) */ 193 | } 194 | 195 | count_hits(); 196 | print_hits("loop1"); 197 | 198 | N2 = N / N2div; 199 | for (i = 0; i < N2; i++) { 200 | j = X % N; 201 | X = H(X ^ V[j]); 202 | 203 | hits[j]++; 204 | at_cost2 += N; /* 1 time * N area */ 205 | } 206 | 207 | count_hits(); 208 | 209 | at_cost1 /= 2; /* extreme TMTO, probably impossible */ 210 | at_cost2 /= 2; /* extreme TMTO, probably impossible */ 211 | 212 | print_costs(X); 213 | print_hits("total"); 214 | puts(""); 215 | } 216 | 217 | static void smix_loop1_mod(uint32_t N2div) 218 | { 219 | uint64_t X = B; 220 | uint32_t i, j, N2; 221 | 222 | printf("loop1_mod(N2 = N/%u)\n", N2div); 223 | 224 | t_cost = 0; 225 | at_cost1 = at_cost2 = 0; 226 | 227 | for (i = 0; i < N; i++) { 228 | V[i] = X; 229 | 230 | hits[i] = 0; 231 | if (i > 1) { 232 | j = X % i; /* drawbacks: depends on chosen size of X (beyond bits in N-1), somewhat slow, not constant time, slightly non-uniform when size of X is not a lot larger than log2(N) */ 233 | if (j >= i) 234 | fprintf(stderr, "Bad j = %08x\n", j); 235 | hits[j]++; 236 | 237 | X ^= V[j]; 238 | } 239 | 240 | X = H(X); 241 | 242 | at_cost1 += i; /* 1 time * i area */ 243 | } 244 | 245 | count_hits(); 246 | print_hits("loop1"); 247 | 248 | N2 = N / N2div; 249 | for (i = 0; i < N2; i++) { 250 | j = X % N; 251 | X = H(X ^ V[j]); 252 | 253 | hits[j]++; 254 | at_cost2 += N; /* 1 time * N area */ 255 | } 256 | 257 | count_hits(); 258 | 259 | at_cost1 /= 2; /* extreme TMTO, probably impossible */ 260 | at_cost2 /= 2; /* extreme TMTO, probably impossible */ 261 | 262 | print_costs(X); 263 | print_hits("total"); 264 | puts(""); 265 | } 266 | 267 | int main(void) 268 | { 269 | smix_classic(); 270 | smix_loop1_pow2(1); 271 | smix_loop1_pow2(3); 272 | smix_loop1_wrap(1); 273 | smix_loop1_wrap(2); 274 | smix_loop1_mod(1); 275 | smix_loop1_mod(2); 276 | return 0; 277 | } 278 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-bmpwx.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char **argv) 5 | { 6 | unsigned int r, g, s; 7 | unsigned int r1, i; 8 | 9 | if (argc < 4) { 10 | printf("Usage: %s r PWXgather PWXsimple\n", argv[0]); 11 | return 1; 12 | } 13 | 14 | r = atoi(argv[1]); 15 | g = atoi(argv[2]); 16 | s = atoi(argv[3]); 17 | 18 | printf("g * s * 8 = %u\n", g * s * 8); 19 | printf("rmin = %u\n", (g * s + 127) / 128); 20 | 21 | r1 = 128 * r / (g * s * 8); 22 | printf("r1 = %u\n", r1); 23 | 24 | if (r1 > 1) 25 | printf("X = B'_%u\n", r1 - 1); 26 | else 27 | printf("X = (0, ..., 0)\n"); 28 | 29 | for (i = 0; i < r1; i++) 30 | printf("B'_%u = X = pwxform(X ^ B'_%u)\n", i, i); 31 | 32 | i = (r1 - 1) * g * s / 8; 33 | printf("B_%u = H(B_%u)\n", i, i); 34 | 35 | for (i = i + 1; i < 2 * r; i++) 36 | printf("B_%u = H(B_%u ^ B_%u)\n", i, i, i - 1); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-normat.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define N_test 1 4 | 5 | /* 6 | * Assume that only random accesses count towards AT, whereas the sequential 7 | * writes (and possible read-backs) have zero cost (e.g., through use of 8 | * external memory that is so cheap its cost is negligible compared to that of 9 | * our fast RAM, or in the case of TMTO-friendly classic scrypt through the 10 | * sqrt(N) cores attack). 11 | */ 12 | static double smix1_at(int mode, double N) 13 | { 14 | switch (mode) { 15 | case 1: 16 | return N * N / 3.0; 17 | case 2: 18 | return N * N / 2.0; 19 | } 20 | return 0; 21 | } 22 | 23 | static void print_table(int mode, int steps, double step) 24 | { 25 | int i; 26 | double N = N_test; 27 | double t_norm = 2 * N; /* normalize relative to classic scrypt */ 28 | double base_at = smix1_at(mode, N); 29 | char *mode_name = "scrypt assuming TMTO is not exploited in 2nd loop"; 30 | 31 | switch (mode) { 32 | case 1: 33 | mode_name = "pow2"; 34 | break; 35 | case 2: 36 | mode_name = "wrap or mod"; 37 | break; 38 | case 3: 39 | mode_name = "scrypt assuming TMTO is fully exploited"; 40 | } 41 | 42 | #if N_test > 1 43 | printf("%s\ntrel\tt\tAT\tAT/t\tATnorm\n", mode_name); 44 | #else 45 | printf("%s\nt\tAT\tAT/t\tATnorm\n", mode_name); 46 | #endif 47 | 48 | for (i = 0; i < steps; i++) { 49 | double t2rel = i * step; 50 | double t2 = t2rel * N; 51 | double t = N + t2; 52 | double at = base_at + t2 * N / (mode == 3 ? 2.0 : 1.0); 53 | double at_per_time = at / t; 54 | double N_norm = N * t_norm / t; 55 | double t2_norm = t2rel * N_norm; 56 | double base_at_norm = smix1_at(mode, N_norm); 57 | double at_norm = base_at_norm + t2_norm * N_norm; 58 | 59 | #if N_test > 1 60 | printf("%.2f\t%.2f\t%.3f\t%.3f\t%.3f\n", 61 | 1 + t2rel, t, at, at_per_time, at_norm); 62 | #else 63 | printf("%.2f\t%.2f\t%.3f\t%.3f\n", 64 | t, at, at_per_time, at_norm); 65 | #endif 66 | } 67 | } 68 | 69 | int main(void) 70 | { 71 | print_table(0, 111, 0.01); 72 | print_table(1, 111, 0.01); 73 | print_table(2, 111, 0.01); 74 | print_table(3, 111, 0.01); 75 | return 0; 76 | } 77 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-tmto-output.txt: -------------------------------------------------------------------------------- 1 | scrypt classic: 2 | B' = 8c126669 3 | t_cost = 512 4 | m_cost = 256 5 | scrypt TMTO = 5: 6 | B' = 8c126669 7 | t_cost = 1010 8 | m_cost = 52 9 | scrypt ircmaxell: 10 | B' = 24efce90 11 | t_cost = 512 12 | m_cost = 256 13 | scrypt ircmaxell TMTO1 = 5, TMTO2 = 2: 14 | B' = 24efce90 15 | t_cost = 978 16 | m_cost = 180 elements + 256 indices (363 alloc + 256 ptrs) + 512 counters 17 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-tmto.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | enum { 6 | N = 0x100, 7 | B = 0x0b0b0b0b, 8 | TMTO = 5 9 | }; 10 | 11 | static uint32_t t_cost; 12 | static uint32_t V[N]; 13 | 14 | static uint32_t H(uint32_t x) 15 | { 16 | MD5_CTX ctx; 17 | union { 18 | uint32_t i; 19 | unsigned char c[MD5_DIGEST_LENGTH]; 20 | } y; 21 | 22 | t_cost++; 23 | 24 | MD5_Init(&ctx); 25 | MD5_Update(&ctx, &x, sizeof(x)); 26 | MD5_Final(y.c, &ctx); 27 | 28 | return y.i; 29 | } 30 | 31 | static void smix_classic(void) 32 | { 33 | uint32_t X = B; 34 | uint32_t i, j; 35 | 36 | t_cost = 0; 37 | 38 | for (i = 0; i < N; i++) { 39 | V[i] = X; 40 | X = H(X); 41 | } 42 | 43 | for (i = 0; i < N; i++) { 44 | j = X % N; 45 | X = H(X ^ V[j]); 46 | } 47 | 48 | printf( 49 | "scrypt classic:\n" 50 | "B' = %08x\n" 51 | "t_cost = %u\n" 52 | "m_cost = %u\n", 53 | X, t_cost, N); 54 | } 55 | 56 | static void smix_classic_tmto(void) 57 | { 58 | uint32_t X = B; 59 | uint32_t i, j; 60 | 61 | t_cost = 0; 62 | 63 | for (i = 0; i < N; i++) { 64 | if ((i % TMTO) == 0) 65 | V[i / TMTO] = X; 66 | X = H(X); 67 | } 68 | 69 | for (i = 0; i < N; i++) { 70 | uint32_t Vj; 71 | j = X % N; 72 | Vj = V[j / TMTO]; 73 | j %= TMTO; 74 | while (j--) 75 | Vj = H(Vj); 76 | X = H(X ^ Vj); 77 | } 78 | 79 | printf( 80 | "scrypt TMTO = %u:\n" 81 | "B' = %08x\n" 82 | "t_cost = %u\n" 83 | "m_cost = %u\n", 84 | TMTO, X, t_cost, 1 + (N - 1) / TMTO); 85 | } 86 | 87 | static void smix_ircmaxell(void) 88 | { 89 | uint32_t X = B; 90 | uint32_t i, j; 91 | 92 | t_cost = 0; 93 | 94 | for (i = 0; i < N; i++) { 95 | V[i] = X; 96 | X = H(X); 97 | } 98 | 99 | for (i = 0; i < N; i++) { 100 | j = X % N; 101 | X = H(V[j] ^= X); 102 | } 103 | 104 | printf( 105 | "scrypt ircmaxell:\n" 106 | "B' = %08x\n" 107 | "t_cost = %u\n" 108 | "m_cost = %u\n", 109 | X, t_cost, N); 110 | } 111 | 112 | static void smix_ircmaxell_tmto(void) 113 | { 114 | uint32_t V2[(N - 1) / 2 + 1]; 115 | uint32_t patharea[N*N], *pathend; 116 | uint32_t *path[N], pathlen[N], pathleni[N]; 117 | 118 | uint32_t getVrec(uint32_t i, uint32_t j) 119 | { 120 | uint32_t xor = 0; 121 | 122 | while (1) { 123 | if (~i & 1) 124 | return xor ^ V2[i / 2]; 125 | 126 | uint32_t Y = H(V2[i / 2]); 127 | uint32_t jj = Y % N; 128 | uint32_t pl = pathleni[i]; 129 | if (pl == 0) { 130 | uint32_t X = V[j / TMTO]; 131 | j %= TMTO; 132 | while (j--) 133 | X = H(X); 134 | return xor ^ X ^ Y; 135 | } 136 | i = path[j][pl - 1]; 137 | j = jj; 138 | xor ^= Y; 139 | } 140 | } 141 | 142 | uint32_t getV(uint32_t i, uint32_t j) 143 | { 144 | if (pathlen[j] != 0) 145 | return getVrec(path[j][pathlen[j] - 1], j); 146 | 147 | uint32_t X; 148 | X = V[j / TMTO]; 149 | j %= TMTO; 150 | while (j--) 151 | X = H(X); 152 | return X; 153 | } 154 | 155 | uint32_t X = B; 156 | uint32_t i, j; 157 | 158 | t_cost = 0; 159 | 160 | for (i = 0; i < N; i++) { 161 | if ((i % TMTO) == 0) 162 | V[i / TMTO] = X; 163 | X = H(X); 164 | pathlen[i] = 0; /* obvious path, nothing to record yet */ 165 | } 166 | 167 | for (i = 0; i < N; i++) { 168 | path[i] = &patharea[i]; 169 | patharea[i] = 0xffffffff; 170 | } 171 | pathend = &patharea[i]; 172 | 173 | for (i = 0; i < N; i++) { 174 | j = X % N; 175 | X ^= getV(i, j); 176 | if (~i & 1) 177 | V2[i / 2] = X; 178 | pathleni[i] = pathlen[j]; 179 | if (path[j][pathlen[j]] != 0xffffffff) { 180 | uint32_t *p = path[j]; 181 | uint32_t *q = &path[j][pathlen[j]]; 182 | path[j] = pathend; 183 | while (p < q) { 184 | *pathend++ = *p; 185 | *p++ = 0xffffffff; 186 | } 187 | pathend++; 188 | } 189 | path[j][pathlen[j]++] = i; 190 | X = H(X); 191 | } 192 | 193 | printf( 194 | "scrypt ircmaxell TMTO1 = %u, TMTO2 = 2:\n" 195 | "B' = %08x\n" 196 | "t_cost = %u\n" 197 | "m_cost = %u elements + %u indices " 198 | "(%u alloc + %u ptrs) + %u counters\n", 199 | TMTO, X, t_cost, 200 | 1 + (N - 1) / TMTO + sizeof(V2) / sizeof(V2[0]), N, 201 | pathend - patharea, N, N * 2); 202 | } 203 | 204 | int main(void) 205 | { 206 | smix_classic(); 207 | smix_classic_tmto(); 208 | smix_ircmaxell(); 209 | smix_ircmaxell_tmto(); 210 | return 0; 211 | } 212 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-up-output.txt: -------------------------------------------------------------------------------- 1 | Granularity 1, t divisor 1, pre-upgrade t 1 2 | Up # t N sum_t sum_AT sum_AT % 3 | 0 1 1 1 1 100.00% 4 | 1 1 1 2 2 50.00% 5 | 2 1 2 4 6 37.50% 6 | 3 1 4 8 22 34.38% 7 | 4 1 8 16 86 33.59% 8 | 5 1 16 32 342 33.40% 9 | Granularity 2, t divisor 1, pre-upgrade t 1 10 | Up # t N sum_t sum_AT sum_AT % 11 | 0 1 1 1 1 100.00% 12 | 1 1 2 3 5 55.56% 13 | 2 1 4 7 21 42.86% 14 | 3 1 8 15 85 37.78% 15 | 4 1 16 31 341 35.48% 16 | 5 1 32 63 1365 34.39% 17 | Granularity 4, t divisor 1, pre-upgrade t 1 18 | Up # t N sum_t sum_AT sum_AT % 19 | 0 1 1 1 1 100.00% 20 | 1 1 4 5 17 68.00% 21 | 2 1 16 21 273 61.90% 22 | 3 1 64 85 4369 60.47% 23 | 4 1 256 341 69905 60.12% 24 | 5 1 1024 1365 1118481 60.03% 25 | Granularity 8, t divisor 1, pre-upgrade t 1 26 | Up # t N sum_t sum_AT sum_AT % 27 | 0 1 1 1 1 100.00% 28 | 1 1 8 9 65 80.25% 29 | 2 1 64 73 4161 78.08% 30 | 3 1 512 585 266305 77.82% 31 | 4 1 4096 4681 17043521 77.78% 32 | 5 1 32768 37449 1090785345 77.78% 33 | 34 | Granularity 4, t divisor 1, pre-upgrade t 64 35 | Up # t N sum_t sum_AT sum_AT % 36 | 0 64 1 64 64 1.56% 37 | 1 64 4 320 1088 1.06% 38 | 2 64 16 1344 17472 0.97% 39 | 3 64 64 5440 279616 0.94% 40 | 4 64 256 21824 4473920 0.94% 41 | 5 64 1024 87360 71582784 0.94% 42 | Granularity 4, t divisor 2, pre-upgrade t 64 43 | Up # t N sum_t sum_AT sum_AT % 44 | 0 64 1 64 64 1.56% 45 | 1 32 4 192 576 1.56% 46 | 2 16 16 448 4672 2.33% 47 | 3 8 64 960 37440 4.06% 48 | 4 4 256 1984 299584 7.61% 49 | 5 2 1024 4032 2396736 14.74% 50 | Granularity 4, t divisor 4, pre-upgrade t 64 51 | Up # t N sum_t sum_AT sum_AT % 52 | 0 64 1 64 64 1.56% 53 | 1 16 4 128 320 1.95% 54 | 2 4 16 192 1344 3.65% 55 | 3 1 64 256 5440 8.30% 56 | 4 1 256 512 70976 27.08% 57 | 5 1 1024 1536 1119552 47.45% 58 | Granularity 4, t divisor 8, pre-upgrade t 64 59 | Up # t N sum_t sum_AT sum_AT % 60 | 0 64 1 64 64 1.56% 61 | 1 8 4 96 192 2.08% 62 | 2 1 16 112 448 3.57% 63 | 3 1 64 176 4544 14.67% 64 | 4 1 256 432 70080 37.55% 65 | 5 1 1024 1456 1118656 52.77% 66 | 67 | Granularity 4, t divisor 2, pre-upgrade t 1 68 | Up # t N sum_t sum_AT sum_AT % 69 | 0 1 1 1 1 100.00% 70 | 1 1 4 5 17 68.00% 71 | 2 1 16 21 273 61.90% 72 | 3 1 64 85 4369 60.47% 73 | 4 1 256 341 69905 60.12% 74 | 5 1 1024 1365 1118481 60.03% 75 | Granularity 4, t divisor 2, pre-upgrade t 2 76 | Up # t N sum_t sum_AT sum_AT % 77 | 0 2 1 2 2 50.00% 78 | 1 1 4 6 18 50.00% 79 | 2 1 16 22 274 56.61% 80 | 3 1 64 86 4370 59.09% 81 | 4 1 256 342 69906 59.77% 82 | 5 1 1024 1366 1118482 59.94% 83 | Granularity 4, t divisor 2, pre-upgrade t 4 84 | Up # t N sum_t sum_AT sum_AT % 85 | 0 4 1 4 4 25.00% 86 | 1 2 4 12 36 25.00% 87 | 2 1 16 28 292 37.24% 88 | 3 1 64 92 4388 51.84% 89 | 4 1 256 348 69924 57.74% 90 | 5 1 1024 1372 1118500 59.42% 91 | Granularity 4, t divisor 2, pre-upgrade t 8 92 | Up # t N sum_t sum_AT sum_AT % 93 | 0 8 1 8 8 12.50% 94 | 1 4 4 24 72 12.50% 95 | 2 2 16 56 584 18.62% 96 | 3 1 64 120 4680 32.50% 97 | 4 1 256 376 70216 49.67% 98 | 5 1 1024 1400 1118792 57.08% 99 | Granularity 4, t divisor 2, pre-upgrade t 16 100 | Up # t N sum_t sum_AT sum_AT % 101 | 0 16 1 16 16 6.25% 102 | 1 8 4 48 144 6.25% 103 | 2 4 16 112 1168 9.31% 104 | 3 2 64 240 9360 16.25% 105 | 4 1 256 496 74896 30.44% 106 | 5 1 1024 1520 1123472 48.63% 107 | Granularity 4, t divisor 2, pre-upgrade t 32 108 | Up # t N sum_t sum_AT sum_AT % 109 | 0 32 1 32 32 3.12% 110 | 1 16 4 96 288 3.12% 111 | 2 8 16 224 2336 4.66% 112 | 3 4 64 480 18720 8.12% 113 | 4 2 256 992 149792 15.22% 114 | 5 1 1024 2016 1198368 29.49% 115 | Granularity 4, t divisor 2, pre-upgrade t 64 116 | Up # t N sum_t sum_AT sum_AT % 117 | 0 64 1 64 64 1.56% 118 | 1 32 4 192 576 1.56% 119 | 2 16 16 448 4672 2.33% 120 | 3 8 64 960 37440 4.06% 121 | 4 4 256 1984 299584 7.61% 122 | 5 2 1024 4032 2396736 14.74% 123 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/sim-up.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define N0 1 5 | 6 | static void upgrades(unsigned int step, unsigned int tdiv, unsigned int t0) 7 | { 8 | uint32_t g; 9 | uint64_t t, N, sum_t, sum_at; 10 | 11 | printf("Granularity %u, t divisor %u, pre-upgrade t %u\n" 12 | "Up #\tt\tN\tsum_t\tsum_AT\tsum_AT %%\n", step, tdiv, t0); 13 | 14 | t = t0; /* NB: t is not in the same units as yescrypt's */ 15 | N = N0; 16 | sum_t = sum_at = 0; 17 | for (g = 0; g < 6; g++) { 18 | sum_t += t * N; 19 | sum_at += t * N * N; 20 | if (t * N / N != t || t * N * N / N != t * N || 21 | sum_at < t * N * N) 22 | break; 23 | printf("%u\t%llu\t%llu\t%llu\t%llu\t%.2f%%\n", 24 | g, (unsigned long long)t, (unsigned long long)N, 25 | (unsigned long long)sum_t, (unsigned long long)sum_at, 26 | sum_at * 100.0 / ((double)sum_t * sum_t)); 27 | if (step > 1) 28 | N *= step; 29 | else 30 | N = sum_t; 31 | t = 1 + (t - 1) / tdiv; 32 | } 33 | } 34 | 35 | int main(void) 36 | { 37 | unsigned int i; 38 | 39 | for (i = 1; i <= 8; i <<= 1) 40 | upgrades(i, 1, 1); 41 | 42 | putchar('\n'); 43 | 44 | for (i = 1; i <= 8; i <<= 1) 45 | upgrades(4, i, 64); 46 | 47 | putchar('\n'); 48 | 49 | for (i = 1; i <= 64; i <<= 1) 50 | upgrades(4, 2, i); 51 | 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/extra/style.latex: -------------------------------------------------------------------------------- 1 | %\setlength{\parskip}{\baselineskip} 2 | \setlength{\parskip}{5pt} 3 | \setlength{\parindent}{0mm} 4 | \sloppy 5 | \usepackage[a4paper,inner=25mm,outer=25mm,top=35mm,bottom=35mm]{geometry} 6 | \usepackage{amsmath} 7 | \newcommand*\xor{\oplus} 8 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2013,2014 Alexander Peslyak 2 | # All rights reserved. 3 | # 4 | # Redistribution and use in source and binary forms, with or without 5 | # modification, are permitted. 6 | # 7 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 8 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 10 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 11 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 12 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 13 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 14 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 15 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 16 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 17 | # SUCH DAMAGE. 18 | 19 | CC = gcc 20 | LD = $(CC) 21 | RM = rm -f 22 | OMPFLAGS = -fopenmp 23 | OMPFLAGS_MAYBE = $(OMPFLAGS) 24 | CFLAGS = -Wall -march=native -O2 -funroll-loops -fomit-frame-pointer $(OMPFLAGS_MAYBE) 25 | #CFLAGS = -Wall -march=native -O2 -fomit-frame-pointer $(OMPFLAGS_MAYBE) 26 | #CFLAGS = -Wall -O2 -fomit-frame-pointer $(OMPFLAGS_MAYBE) 27 | LDFLAGS = -s $(OMPFLAGS_MAYBE) 28 | 29 | PROJ = tests phc-test initrom userom tester 30 | OBJS_CORE = yescrypt-best.o 31 | OBJS_TESTS = $(OBJS_CORE) yescrypt-common.o sha256.o tests.o 32 | OBJS_TESTER = $(OBJS_CORE) yescrypt-common.o sha256.o tester.o 33 | OBJS_PHC = $(OBJS_CORE) yescrypt-common.o sha256.o phc-test.o 34 | OBJS_INITROM = $(OBJS_CORE) yescrypt-common.o sha256.o initrom.o 35 | OBJS_USEROM = $(OBJS_CORE) yescrypt-common.o sha256.o userom.o 36 | OBJS_RM = yescrypt-*.o 37 | 38 | all: $(PROJ) 39 | 40 | check: tests phc-test 41 | @echo 'Running main tests' 42 | @time ./tests | tee TESTS-OUT 43 | @diff -U0 TESTS-OK TESTS-OUT && echo PASSED || echo FAILED 44 | @if [ -e PHC-TEST-OK ]; then \ 45 | echo 'Running PHC tests'; \ 46 | time ./phc-test > PHC-TEST-OUT; \ 47 | cmp PHC-TEST-OK PHC-TEST-OUT && echo PASSED || echo FAILED; \ 48 | fi 49 | 50 | ref: 51 | $(MAKE) $(PROJ) OBJS_CORE=yescrypt-ref.o 52 | 53 | check-ref: 54 | $(MAKE) check OBJS_CORE=yescrypt-ref.o 55 | 56 | opt: 57 | $(MAKE) $(PROJ) OBJS_CORE=yescrypt-opt.o 58 | 59 | check-opt: 60 | $(MAKE) check OBJS_CORE=yescrypt-opt.o 61 | 62 | tests: $(OBJS_TESTS) 63 | $(LD) $(LDFLAGS) $(OBJS_TESTS) -o $@ 64 | 65 | phc-test.o: phc.c 66 | $(CC) -c $(CFLAGS) -DTEST phc.c -o $@ 67 | 68 | phc-test: $(OBJS_PHC) 69 | $(LD) $(LDFLAGS) $(OBJS_PHC) -o $@ 70 | 71 | tester.o: tester.c 72 | $(CC) -c $(CFLAGS) -DTEST tester.c -o $@ 73 | 74 | tester: $(OBJS_TESTER) 75 | $(LD) $(LDFLAGS) $(OBJS_TESTER) -o $@ 76 | 77 | initrom: $(OBJS_INITROM) 78 | $(LD) $(LDFLAGS) $(OBJS_INITROM) -o $@ 79 | 80 | userom: $(OBJS_USEROM) 81 | $(LD) $(LDFLAGS) $(OMPFLAGS) $(OBJS_USEROM) -o $@ 82 | 83 | userom.o: userom.c 84 | $(CC) -c $(CFLAGS) $(OMPFLAGS) $*.c 85 | 86 | .c.o: 87 | $(CC) -c $(CFLAGS) $*.c 88 | 89 | yescrypt-best.o: yescrypt-platform.c yescrypt-simd.c yescrypt-opt.c 90 | yescrypt-simd.o: yescrypt-platform.c 91 | yescrypt-opt.o: yescrypt-platform.c 92 | 93 | clean: 94 | $(RM) $(PROJ) 95 | $(RM) $(OBJS_TESTER) $(OBJS_TESTS) $(OBJS_PHC) $(OBJS_INITROM) $(OBJS_USEROM) 96 | $(RM) $(OBJS_RM) 97 | $(RM) TESTS-OUT PHC-TEST-OUT 98 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/PERFORMANCE-default: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Core i7-4770K 3.5 GHz + turbo (up to 3.7 GHz with all cores in use, 6 | 3.9 GHz with one core in use), HT is enabled (giving 8 logical CPUs), 7 | 32 GiB RAM (4x DDR3-1600, but the CPU has only 2 memory channels). 8 | The OS is Ubuntu 12.04.2. 9 | 10 | First, we need to configure the Linux system, as root. Grant our user 11 | account's group the privilege to access "huge pages" (2 MiB as opposed 12 | to x86's default 4 KiB pages): 13 | 14 | # sysctl -w vm.hugetlb_shm_group=1000 15 | 16 | (You may need to replace the "1000" with your user account's actual 17 | group id.) 18 | 19 | Let processes allocate up to 3 GiB in shared memory segments: 20 | 21 | # sysctl -w kernel.shmmax=3221225472 22 | 23 | Preallocate this much memory and 200 MiB more (to be potentially used 24 | for threads' "RAM" lookup tables) into 2 MiB pages (this will only work 25 | when there's a sufficiently large non-fragmented memory region, so is 26 | normally to be performed right upon system bootup): 27 | 28 | # sysctl -w vm.nr_hugepages=1636 29 | 30 | Now initialization of the ROM is possible: 31 | 32 | $ time ./initrom 33 | r=6 N=2^12 NROM=2^22 34 | Will use 3145728.00 KiB ROM 35 | 3072.00 KiB RAM 36 | Initializing ROM ... DONE (7b90baf9) 37 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 38 | 39 | real 0m2.017s 40 | user 0m14.957s 41 | sys 0m1.000s 42 | 43 | This took 2 seconds, and now we're able to quickly hash passwords from 44 | another process (this may be the authentication service): 45 | 46 | $ ./userom 47 | r=6 N=2^12 NROM=2^22 48 | Will use 3145728.00 KiB ROM 49 | 3072.00 KiB RAM 50 | ROM access frequency mask: 0x1 51 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 52 | Benchmarking 1 thread ... 53 | 354 c/s real, 357 c/s virtual (511 hashes in 1.44 seconds) 54 | Benchmarking 8 threads ... 55 | 1344 c/s real, 167 c/s virtual (1533 hashes in 1.14 seconds) 56 | 57 | Cleanup (remove the SysV shared memory segment holding the ROM and free 58 | up the preallocated 2 MiB pages): 59 | 60 | $ ipcrm -M 0x524f4d0a 61 | 62 | # sysctl -w vm.nr_hugepages=0 63 | 64 | Without explicit use of 2 MiB pages (that is, more likely with 4 KiB 65 | pages), the test programs above run fine as well, and actually this time 66 | they're almost as fast, although in some other cases we've observed much 67 | more of a difference (see PERFORMANCE-scaling-up). 68 | 69 | Here are the timings without explicit 2 MiB pages: 70 | 71 | $ time ./initrom 72 | r=6 N=2^12 NROM=2^22 73 | Will use 3145728.00 KiB ROM 74 | 3072.00 KiB RAM 75 | shmget: Cannot allocate memory 76 | Retrying without SHM_HUGETLB 77 | Initializing ROM ... DONE (7b90baf9) 78 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 79 | 80 | real 0m2.048s 81 | user 0m14.629s 82 | sys 0m1.204s 83 | 84 | $ ./userom 85 | r=6 N=2^12 NROM=2^22 86 | Will use 3145728.00 KiB ROM 87 | 3072.00 KiB RAM 88 | ROM access frequency mask: 0x1 89 | '$7X3$A4..../....WZaPV7LSUEKMo34.$5s4cetx5p9HNpa4x3I10oHYf6tkoHgIiQJShvobQKB2' 90 | Benchmarking 1 thread ... 91 | 191 c/s real, 193 c/s virtual (255 hashes in 1.33 seconds) 92 | Benchmarking 8 threads ... 93 | 1332 c/s real, 167 c/s virtual (1785 hashes in 1.34 seconds) 94 | 95 | It might be possible to improve the single-thread speed seen here by 96 | including some warm-up in the program. Anyhow, the multi-threaded 97 | throughput is more relevant. 98 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/PERFORMANCE-scaling-down: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Dual Pentium 3, 1 GHz (an IBM workstation circa year 2000), running 6 | current Openwall GNU/*/Linux. ROM size scaled down to 112 MiB: 7 | 8 | First, we need to configure the Linux system, as root. 9 | 10 | Let processes allocate up to 112 MiB in shared memory segments: 11 | 12 | # sysctl -w kernel.shmmax=117440512 13 | 14 | Now initialization of the ROM is possible: 15 | 16 | $ time ./initrom 17 | r=7 N=2^11 NROM=2^17 18 | Will use 114688.00 KiB ROM 19 | 1792.00 KiB RAM 20 | shmget: Function not implemented 21 | Retrying without SHM_HUGETLB 22 | Initializing ROM ... DONE (0592b260) 23 | '$7X3$95..../....WZaPV7LSUEKMo34.$tWYLFCyQajL/uPib1HOiYrvEgz8HKPApUoMj4S6J.69' 24 | 25 | real 0m4.485s 26 | user 0m7.968s 27 | sys 0m0.504s 28 | 29 | This took under 5 seconds, and now we're able to (relatively) quickly 30 | hash passwords from another process: 31 | 32 | $ ./userom 33 | r=7 N=2^11 NROM=2^17 34 | Will use 114688.00 KiB ROM 35 | 1792.00 KiB RAM 36 | ROM access frequency mask: 0x1 37 | '$7X3$95..../....WZaPV7LSUEKMo34.$tWYLFCyQajL/uPib1HOiYrvEgz8HKPApUoMj4S6J.69' 38 | Benchmarking 1 thread ... 39 | 9 c/s real, 9 c/s virtual (15 hashes in 1.53 seconds) 40 | Benchmarking 2 threads ... 41 | 19 c/s real, 10 c/s virtual (45 hashes in 2.29 seconds) 42 | 43 | Scaling down of the RAM portion to achieve higher c/s rates as if we were 44 | going to use this Pentium 3 machine for an auth server (not recommended): 45 | 46 | $ ./userom 47 | r=7 N=2^7 NROM=2^17 48 | Will use 114688.00 KiB ROM 49 | 112.00 KiB RAM 50 | ROM access frequency mask: 0x1 51 | '$7X3$55..../....WZaPV7LSUEKMo34.$tioZe3w2turVdlZJOYE.TcxqF6a73TyPj227N/p6400' 52 | Benchmarking 1 thread ... 53 | 166 c/s real, 167 c/s virtual (255 hashes in 1.53 seconds) 54 | Benchmarking 2 threads ... 55 | 324 c/s real, 168 c/s virtual (765 hashes in 2.36 seconds) 56 | 57 | These speeds are comparable to optimized bcrypt code at the $2a$05 cost 58 | setting running on the same machine. 59 | 60 | Cleanup (remove the SysV shared memory segment holding the ROM): 61 | 62 | $ ipcrm -M 0x524f4d0a 63 | 64 | Without the ROM: 65 | 66 | $ ./userom 0 67 | r=8 N=2^7 NROM=2^0 68 | Will use 0.00 KiB ROM 69 | 128.00 KiB RAM 70 | '$7X3$56..../....WZaPV7LSUEKMo34.$aASx8ttzWhTYanMam7D7T4Gnqt8gtguH1lEdUN4Sj5/' 71 | Benchmarking 1 thread ... 72 | 166 c/s real, 166 c/s virtual (255 hashes in 1.53 seconds) 73 | Benchmarking 2 threads ... 74 | 331 c/s real, 168 c/s virtual (765 hashes in 2.31 seconds) 75 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/PERFORMANCE-scaling-up: -------------------------------------------------------------------------------- 1 | The benchmarks below correspond to an older revision of yescrypt. They 2 | were not re-run for the most recent revision. However, similar results 3 | are expected for the current revision for t=2, and ~40% faster for t=0. 4 | 5 | Dual Xeon E5-2670 2.6 GHz + turbo (up to 3.0 GHz with all cores in use, 6 | 3.3 GHz with few cores in use), 128 GiB RAM (8x DDR3-1600 ECC Reg). 7 | These CPUs have 8 cores and 4 memory channels each, for a total of 16 8 | physical cores, 32 logical CPUs (HT is enabled), and 8 memory channels. 9 | The OS is Scientific Linux 6.4 (same as RHEL 6.4). 10 | 11 | First, we need to configure the Linux system, as root. Grant our user 12 | account's group the privilege to access "huge pages" (2 MiB as opposed 13 | to x86's default 4 KiB pages): 14 | 15 | # sysctl -w vm.hugetlb_shm_group=1000 16 | 17 | (You may need to replace the "1000" with your user account's actual 18 | group id.) 19 | 20 | Let processes allocate up to 112 GiB in shared memory segments: 21 | 22 | # sysctl -w kernel.shmmax=120259084288 23 | 24 | Preallocate this much memory and 200 MiB more (to be potentially used 25 | for threads' "RAM" lookup tables) into 2 MiB pages (this will only work 26 | when there's a sufficiently large non-fragmented memory region, so is 27 | normally to be performed right upon system bootup): 28 | 29 | # sysctl -w vm.nr_hugepages=57444 30 | 31 | Now initialization of the ROM is possible: 32 | 33 | $ export GOMP_CPU_AFFINITY=0-31 34 | $ time ./initrom 112 1 35 | r=7 N=2^11 NROM=2^27 36 | Will use 117440512.00 KiB ROM 37 | 1792.00 KiB RAM 38 | Initializing ROM ... DONE (0e644812) 39 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 40 | 41 | real 0m41.881s 42 | user 11m14.147s 43 | sys 0m38.607s 44 | 45 | This took under 1 minute, and now we're able to quickly hash passwords 46 | from another process (this may be the authentication service): 47 | 48 | $ ./userom 112 1 49 | r=7 N=2^11 NROM=2^27 50 | Will use 117440512.00 KiB ROM 51 | 1792.00 KiB RAM 52 | ROM access frequency mask: 0x1 53 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 54 | Benchmarking 1 thread ... 55 | 408 c/s real, 412 c/s virtual (511 hashes in 1.25 seconds) 56 | Benchmarking 32 threads ... 57 | 7589 c/s real, 236 c/s virtual (7665 hashes in 1.01 seconds) 58 | 59 | This is 48.7 GB/s: 60 | 61 | 1792 KiB * 3.5 reads&writes * 7589 c/s * 1024/1000 = 48740565 KB/s 62 | 63 | When not using a ROM, the speed improves to: 64 | 65 | $ ./userom 0 2 66 | r=8 N=2^11 NROM=2^0 67 | Will use 0.00 KiB ROM 68 | 2048.00 KiB RAM 69 | '$7X3$96..../....WZaPV7LSUEKMo34.$yiVEyLf68agsa3VGSX7LClYXak8P/AQAoswcRRHBRt2' 70 | Benchmarking 1 thread ... 71 | 440 c/s real, 444 c/s virtual (511 hashes in 1.16 seconds) 72 | Benchmarking 32 threads ... 73 | 8207 c/s real, 257 c/s virtual (15841 hashes in 1.93 seconds) 74 | 75 | This is 60.2 GB/s: 76 | 77 | 1792 KiB * 4 reads&writes * 8207 c/s * 1024/1000 = 60239643 KB/s 78 | 79 | In both cases, we're not counting accesses that are expected to hit L1 80 | or L2 cache, which there are many of. We're, however, counting 81 | accesses that may be hitting L3 cache. 82 | 83 | The theoretical peak RAM access speed for this machine is: 84 | 85 | 1600 MT/s * 8 channels * 8 bytes = 102.4 GB/s 86 | 87 | (This speed is never reached in practice, not even in RAM benchmarks not 88 | involving any computation. On this machine, synthetic RAM benchmarks 89 | reach about 85 GB/s.) 90 | 91 | By the way, here's what our SysV shared memory segment looks like: 92 | 93 | $ ipcs 94 | 95 | ------ Shared Memory Segments -------- 96 | key shmid owner perms bytes nattch status 97 | 0x524f4d0a 360448 solar 640 120259084288 0 98 | 99 | The 120+ GB size corresponds to 112 GiB. 100 | 101 | Cleanup (remove the SysV shared memory segment holding the ROM and free 102 | up the preallocated 2 MiB pages): 103 | 104 | $ ipcrm -M 0x524f4d0a 105 | 106 | # sysctl -w vm.nr_hugepages=0 107 | 108 | Without explicit use of 2 MiB pages (that is, most likely with 4 KiB 109 | pages), the test programs above run fine as well, but slower, presumably 110 | mostly because of cache thrashing with page tables. ROM initialization 111 | time is about as good: 112 | 113 | $ time ./initrom 112 1 114 | r=7 N=2^11 NROM=2^27 115 | Will use 117440512.00 KiB ROM 116 | 1792.00 KiB RAM 117 | shmget: Cannot allocate memory 118 | Retrying without SHM_HUGETLB 119 | Initializing ROM ... DONE (0e644812) 120 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 121 | 122 | real 0m42.141s 123 | user 12m17.489s 124 | sys 8m33.598s 125 | 126 | However, password hashing speed while using that ROM on small pages is 127 | impacted badly: 128 | 129 | $ ./userom 112 1 130 | r=7 N=2^11 NROM=2^27 131 | Will use 117440512.00 KiB ROM 132 | 1792.00 KiB RAM 133 | ROM access frequency mask: 0x1 134 | '$7X3$95..../....WZaPV7LSUEKMo34.$UJxyIFR5NmT8WJ3ibOuVSAB3iQ/2IkruLUWTThZ/BN6' 135 | Benchmarking 1 thread ... 136 | 157 c/s real, 158 c/s virtual (255 hashes in 1.62 seconds) 137 | Benchmarking 32 threads ... 138 | 1733 c/s real, 54 c/s virtual (1785 hashes in 1.03 seconds) 139 | 140 | Thus, at these ROM sizes the use of "huge pages" is a must - otherwise 141 | we're giving attackers (who would tune their systems) a 4x+ performance 142 | advantage. 143 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/README: -------------------------------------------------------------------------------- 1 | This yescrypt distribution is a work-in-progress. Its interfaces other 2 | than crypto_scrypt(), as well as their semantics, are subject to 3 | (incompatible) changes in future revisions. 4 | 5 | 6 | How to test yescrypt for proper operation. 7 | 8 | On a Unix-like system, invoke "make check". This will build and run a 9 | program called "tests", and check its output against the supplied file 10 | TESTS-OK. It will also build a program called "phc-test", and if a file 11 | called PHC-TEST-OK is present will run that program and check its output 12 | against that file's contents. If everything matches, each of these two 13 | sets of tests prints one word "PASSED", so there will be two such lines 14 | among "make check" output, one of them being the final line of output. 15 | 16 | We do most of our testing on Linux systems with gcc. The supplied 17 | Makefile assumes that you use gcc. 18 | 19 | 20 | ROM in SysV shared memory demo and benchmark. 21 | 22 | Also included with this version of yescrypt are "initrom" and "userom" 23 | demo programs. They're built by simply typing "make". Please refer to 24 | PERFORMANCE-* text files for examples of system configuration and 25 | running of these programs. 26 | 27 | 28 | Alternate code versions and make targets. 29 | 30 | Three implementations of yescrypt are included: reference, partially 31 | optimized (without use of SIMD), and fully optimized for x86/x86-64 32 | (with use of SIMD intrinsics). By default, one of the two optimized 33 | implementations is built as appropriate for the given machine. 34 | 35 | The reference implementation is unoptimized and is very slow, but it has 36 | simpler and shorter source code. Its purpose is to provide a simple 37 | human- and machine-readable specification that implementations intended 38 | for actual use should be tested against. It is deliberately mostly not 39 | optimized, and it is not meant to be used in production. 40 | 41 | There are two additional make targets similar to "make check": they are 42 | "make check-ref" and "make check-opt". These build and test the two 43 | included alternate code versions. 44 | 45 | Similarly, there are two make targets to build all of the programs along 46 | with either of the two alternate implementations. These are simply 47 | "make ref" and "make opt". After having used one of these, the 48 | "initrom" and "userom" programs will use that build's implementation. 49 | 50 | "make clean" may need to be run between making different builds. 51 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/initrom.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2013-2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #define YESCRYPT_FLAGS YESCRYPT_RW 22 | 23 | #define ROM_SHM_KEY 0x524f4d0a 24 | #define ROM_LOCAL_PARAM "change this before use" 25 | 26 | /* Maximum parallelism factor during ROM initialization */ 27 | #define YESCRYPT_PROM_SHM 32 28 | #define YESCRYPT_PROM_FILE 4 29 | 30 | //#define USE_HUGEPAGE 31 | 32 | #include 33 | #include 34 | #include /* for atoi() */ 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | #include "yescrypt.h" 43 | 44 | int main(int argc, const char * const *argv) 45 | { 46 | #if 0 47 | uint64_t rom_bytes = 112 * (1024ULL*1024*1024); 48 | uint64_t ram_bytes = 1 * (1024ULL*1024); 49 | #else 50 | uint64_t rom_bytes = 3 * (1024ULL*1024*1024); 51 | uint64_t ram_bytes = 2 * (1024ULL*1024); 52 | #endif 53 | uint32_t r, min_r; 54 | uint64_t NROM_log2, N_log2; 55 | int shmid; 56 | yescrypt_shared_t shared; 57 | uint8_t digest[4]; 58 | const char * rom_filename = NULL; 59 | int rom_fd; 60 | 61 | if (argc > 1) 62 | rom_bytes = atoi(argv[1]) * (1024ULL*1024*1024); 63 | if (argc > 2) 64 | ram_bytes = atoi(argv[2]) * (1024ULL*1024); 65 | if (argc > 3) 66 | rom_filename = argv[3]; 67 | 68 | if (!rom_bytes) { 69 | puts("Wrong ROM size requested"); 70 | return 1; 71 | } 72 | 73 | min_r = 5; 74 | if (rom_filename) 75 | min_r = 8 * 256; 76 | 77 | NROM_log2 = 0; 78 | while (((rom_bytes >> NROM_log2) & 0xff) == 0) 79 | NROM_log2++; 80 | r = rom_bytes >> (7 + NROM_log2); 81 | while (r < min_r && NROM_log2 > 0) { 82 | r <<= 1; 83 | NROM_log2--; 84 | } 85 | rom_bytes = (uint64_t)r << (7 + NROM_log2); 86 | 87 | N_log2 = 3; 88 | while ((r << (7 + N_log2)) < ram_bytes) 89 | N_log2++; 90 | ram_bytes = (uint64_t)r << (7 + N_log2); 91 | 92 | printf("r=%u N=2^%u NROM=2^%u\n", r, 93 | (unsigned int)N_log2, (unsigned int)NROM_log2); 94 | 95 | printf("Will use %.2f KiB ROM\n", rom_bytes / 1024.0); 96 | printf(" %.2f KiB RAM\n", ram_bytes / 1024.0); 97 | 98 | shared.aligned_size = rom_bytes; 99 | 100 | if (rom_filename) { 101 | rom_fd = open(rom_filename, O_CREAT|O_RDWR|O_EXCL, 102 | S_IRUSR|S_IRGRP|S_IWUSR); 103 | if (rom_fd < 0) { 104 | perror("open"); 105 | return 1; 106 | } 107 | if (ftruncate(rom_fd, rom_bytes)) { 108 | perror("ftruncate"); 109 | close(rom_fd); 110 | unlink(rom_filename); 111 | return 1; 112 | } 113 | 114 | int flags = 115 | #ifdef MAP_NOCORE 116 | MAP_NOCORE | 117 | #endif 118 | #if defined(MAP_HUGETLB) && defined(USE_HUGEPAGE) 119 | MAP_HUGETLB | 120 | #endif 121 | MAP_SHARED; 122 | void * p = mmap(NULL, rom_bytes, PROT_READ | PROT_WRITE, 123 | flags, rom_fd, 0); 124 | #if defined(MAP_HUGETLB) && defined(USE_HUGEPAGE) 125 | if (p == MAP_FAILED) 126 | p = mmap(NULL, rom_bytes, PROT_READ | PROT_WRITE, 127 | flags & ~MAP_HUGETLB, rom_fd, 0); 128 | #endif 129 | if (p == MAP_FAILED) { 130 | perror("mmap"); 131 | close(rom_fd); 132 | unlink(rom_filename); 133 | return 1; 134 | } 135 | close(rom_fd); 136 | shared.base = shared.aligned = p; 137 | } else { 138 | shmid = shmget(ROM_SHM_KEY, shared.aligned_size, 139 | #ifdef SHM_HUGETLB 140 | SHM_HUGETLB | 141 | #endif 142 | IPC_CREAT|IPC_EXCL | S_IRUSR|S_IRGRP|S_IWUSR); 143 | if (shmid == -1) { 144 | #ifdef SHM_HUGETLB 145 | perror("shmget"); 146 | puts("Retrying without SHM_HUGETLB"); 147 | shmid = shmget(ROM_SHM_KEY, shared.aligned_size, 148 | IPC_CREAT|IPC_EXCL | S_IRUSR|S_IRGRP|S_IWUSR); 149 | #endif 150 | if (shmid == -1) { 151 | perror("shmget"); 152 | return 1; 153 | } 154 | } 155 | 156 | shared.base = shared.aligned = shmat(shmid, NULL, 0); 157 | if (shared.base == (void *)-1) { 158 | int save_errno = errno; 159 | shmctl(shmid, IPC_RMID, NULL); 160 | errno = save_errno; 161 | perror("shmat"); 162 | return 1; 163 | } 164 | } 165 | 166 | printf("Initializing ROM ..."); 167 | fflush(stdout); 168 | if (yescrypt_init_shared(&shared, 169 | (uint8_t *)ROM_LOCAL_PARAM, strlen(ROM_LOCAL_PARAM), 170 | (uint64_t)1 << NROM_log2, r, 171 | rom_filename ? YESCRYPT_PROM_FILE : YESCRYPT_PROM_SHM, 172 | YESCRYPT_SHARED_PREALLOCATED, 173 | digest, sizeof(digest))) { 174 | puts(" FAILED"); 175 | if (rom_filename) 176 | unlink(rom_filename); 177 | return 1; 178 | } 179 | printf(" DONE (%02x%02x%02x%02x)\n", 180 | digest[0], digest[1], digest[2], digest[3]); 181 | 182 | { 183 | yescrypt_local_t local; 184 | const uint8_t *setting; 185 | uint8_t hash[128]; 186 | 187 | if (yescrypt_init_local(&local)) { 188 | puts("yescrypt_init_local() FAILED"); 189 | return 1; 190 | } 191 | 192 | setting = yescrypt_gensalt( 193 | N_log2, r, 1, YESCRYPT_FLAGS, 194 | (const uint8_t *)"binary data", 12); 195 | 196 | printf("'%s'\n", (char *)yescrypt_r(&shared, &local, 197 | (const uint8_t *)"pleaseletmein", 13, setting, 198 | hash, sizeof(hash))); 199 | } 200 | 201 | if (rom_filename && munmap(shared.base, rom_bytes)) { 202 | perror("munmap"); 203 | return 1; 204 | } 205 | 206 | return 0; 207 | } 208 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/phc.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2014,2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #define YESCRYPT_FLAGS YESCRYPT_RW 22 | #define YESCRYPT_BASE_N 8 23 | #define YESCRYPT_R 8 24 | #define YESCRYPT_P 1 25 | 26 | #include "yescrypt.h" 27 | 28 | #ifdef TEST 29 | static 30 | #endif 31 | int PHS(void *out, size_t outlen, const void *in, size_t inlen, 32 | const void *salt, size_t saltlen, unsigned int t_cost, unsigned int m_cost) 33 | { 34 | yescrypt_local_t local; 35 | int retval; 36 | 37 | if (yescrypt_init_local(&local)) 38 | return -1; 39 | retval = yescrypt_kdf(NULL, &local, in, inlen, salt, saltlen, 40 | (uint64_t)YESCRYPT_BASE_N << m_cost, YESCRYPT_R, YESCRYPT_P, 41 | t_cost, 0, YESCRYPT_FLAGS, out, outlen); 42 | if (yescrypt_free_local(&local)) 43 | return -1; 44 | return retval; 45 | } 46 | 47 | #ifdef TEST 48 | #include 49 | #include /* for sysconf() */ 50 | #include 51 | 52 | static void print_hex(const uint8_t *buf, size_t buflen, const char *sep) 53 | { 54 | size_t i; 55 | 56 | putchar('"'); 57 | for (i = 0; i < buflen; i++) 58 | printf("\\x%02x", buf[i]); 59 | printf("\"%s", sep); 60 | } 61 | 62 | static void print_PHS(const void *in, size_t inlen, 63 | const void *salt, size_t saltlen, unsigned int t_cost, unsigned int m_cost) 64 | { 65 | uint8_t dk[32]; 66 | 67 | printf("PHS("); 68 | print_hex(in, inlen, ", "); 69 | print_hex(salt, saltlen, ", "); 70 | printf("%u, %u) = ", t_cost, m_cost); 71 | 72 | if (PHS(dk, sizeof(dk), in, inlen, salt, saltlen, t_cost, m_cost)) { 73 | puts("FAILED"); 74 | return; 75 | } 76 | 77 | print_hex(dk, sizeof(dk), "\n"); 78 | } 79 | 80 | static void print_all_PHS(unsigned int t_cost, unsigned int m_cost) 81 | { 82 | clock_t clk_tck = sysconf(_SC_CLK_TCK); 83 | struct tms start_tms, end_tms; 84 | clock_t start = times(&start_tms), end, start_v, end_v; 85 | const int count = 0x102; 86 | size_t inlen; 87 | int i, j; 88 | 89 | inlen = 0; 90 | for (i = 0; i < count; i++) { 91 | uint8_t in[128], salt[16]; 92 | 93 | for (j = 0; j < inlen; j++) 94 | in[j] = (i + j) & 0xff; 95 | for (j = 0; j < sizeof(salt); j++) 96 | salt[j] = ~(i + j) & 0xff; 97 | 98 | print_PHS(in, inlen, salt, sizeof(salt), t_cost, m_cost); 99 | 100 | if (++inlen > sizeof(in)) 101 | inlen = 0; 102 | } 103 | 104 | end = times(&end_tms); 105 | 106 | start_v = start_tms.tms_utime + start_tms.tms_stime + 107 | start_tms.tms_cutime + start_tms.tms_cstime; 108 | end_v = end_tms.tms_utime + end_tms.tms_stime + 109 | end_tms.tms_cutime + end_tms.tms_cstime; 110 | 111 | if (end == start) 112 | end++; 113 | if (end_v == start_v) 114 | end_v++; 115 | 116 | fprintf(stderr, "m_cost=%u (%.0f KiB), t_cost=%u\n" 117 | "%llu c/s real, %llu c/s virtual (%llu hashes in %.2f seconds)\n", 118 | m_cost, (YESCRYPT_BASE_N << m_cost) * YESCRYPT_R / 8.0, t_cost, 119 | (unsigned long long)count * clk_tck / (end - start), 120 | (unsigned long long)count * clk_tck / (end_v - start_v), 121 | (unsigned long long)count, (double)(end - start) / clk_tck); 122 | } 123 | 124 | int main(int argc, char *argv[]) 125 | { 126 | #if 0 127 | setvbuf(stdout, NULL, _IOLBF, 0); 128 | #endif 129 | 130 | print_all_PHS(0, 0); 131 | print_all_PHS(0, 7); 132 | print_all_PHS(0, 8); 133 | print_all_PHS(1, 8); 134 | print_all_PHS(2, 8); 135 | print_all_PHS(3, 8); 136 | print_all_PHS(0, 11); 137 | 138 | return 0; 139 | } 140 | #endif 141 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/sha256.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2005,2007,2009 Colin Percival 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 | * SUCH DAMAGE. 25 | * 26 | * $FreeBSD: src/lib/libmd/sha256.h,v 1.2 2006/01/17 15:35:56 phk Exp $ 27 | */ 28 | 29 | #ifndef _SHA256_H_ 30 | #define _SHA256_H_ 31 | 32 | #include 33 | 34 | #include 35 | 36 | typedef struct SHA256Context { 37 | uint32_t state[8]; 38 | uint32_t count[2]; 39 | unsigned char buf[64]; 40 | } SHA256_CTX; 41 | 42 | typedef struct HMAC_SHA256Context { 43 | SHA256_CTX ictx; 44 | SHA256_CTX octx; 45 | } HMAC_SHA256_CTX; 46 | 47 | void SHA256_Init(SHA256_CTX *); 48 | void SHA256_Update(SHA256_CTX *, const void *, size_t); 49 | void SHA256_Final(unsigned char [32], SHA256_CTX *); 50 | void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); 51 | void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); 52 | void HMAC_SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); 53 | 54 | /** 55 | * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): 56 | * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and 57 | * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). 58 | */ 59 | void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, 60 | uint64_t, uint8_t *, size_t); 61 | 62 | #endif /* !_SHA256_H_ */ 63 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/sysendian.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2007-2009 Colin Percival 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 | * SUCH DAMAGE. 25 | * 26 | * This file was originally written by Colin Percival as part of the Tarsnap 27 | * online backup system. 28 | */ 29 | #ifndef _SYSENDIAN_H_ 30 | #define _SYSENDIAN_H_ 31 | 32 | /* If we don't have be64enc, the we have isn't usable. */ 33 | #if !HAVE_DECL_BE64ENC 34 | #undef HAVE_SYS_ENDIAN_H 35 | #endif 36 | 37 | #ifdef HAVE_SYS_ENDIAN_H 38 | 39 | #include 40 | 41 | #else 42 | 43 | #include 44 | 45 | static inline uint32_t 46 | be32dec(const void *pp) 47 | { 48 | const uint8_t *p = (uint8_t const *)pp; 49 | 50 | return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + 51 | ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); 52 | } 53 | 54 | static inline void 55 | be32enc(void *pp, uint32_t x) 56 | { 57 | uint8_t * p = (uint8_t *)pp; 58 | 59 | p[3] = x & 0xff; 60 | p[2] = (x >> 8) & 0xff; 61 | p[1] = (x >> 16) & 0xff; 62 | p[0] = (x >> 24) & 0xff; 63 | } 64 | 65 | static inline uint64_t 66 | be64dec(const void *pp) 67 | { 68 | const uint8_t *p = (uint8_t const *)pp; 69 | 70 | return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + 71 | ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + 72 | ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + 73 | ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); 74 | } 75 | 76 | static inline void 77 | be64enc(void *pp, uint64_t x) 78 | { 79 | uint8_t * p = (uint8_t *)pp; 80 | 81 | p[7] = x & 0xff; 82 | p[6] = (x >> 8) & 0xff; 83 | p[5] = (x >> 16) & 0xff; 84 | p[4] = (x >> 24) & 0xff; 85 | p[3] = (x >> 32) & 0xff; 86 | p[2] = (x >> 40) & 0xff; 87 | p[1] = (x >> 48) & 0xff; 88 | p[0] = (x >> 56) & 0xff; 89 | } 90 | 91 | static inline uint32_t 92 | le32dec(const void *pp) 93 | { 94 | const uint8_t *p = (uint8_t const *)pp; 95 | 96 | return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + 97 | ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); 98 | } 99 | 100 | static inline void 101 | le32enc(void *pp, uint32_t x) 102 | { 103 | uint8_t * p = (uint8_t *)pp; 104 | 105 | p[0] = x & 0xff; 106 | p[1] = (x >> 8) & 0xff; 107 | p[2] = (x >> 16) & 0xff; 108 | p[3] = (x >> 24) & 0xff; 109 | } 110 | 111 | static inline uint64_t 112 | le64dec(const void *pp) 113 | { 114 | const uint8_t *p = (uint8_t const *)pp; 115 | 116 | return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + 117 | ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + 118 | ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + 119 | ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); 120 | } 121 | 122 | static inline void 123 | le64enc(void *pp, uint64_t x) 124 | { 125 | uint8_t * p = (uint8_t *)pp; 126 | 127 | p[0] = x & 0xff; 128 | p[1] = (x >> 8) & 0xff; 129 | p[2] = (x >> 16) & 0xff; 130 | p[3] = (x >> 24) & 0xff; 131 | p[4] = (x >> 32) & 0xff; 132 | p[5] = (x >> 40) & 0xff; 133 | p[6] = (x >> 48) & 0xff; 134 | p[7] = (x >> 56) & 0xff; 135 | } 136 | #endif /* !HAVE_SYS_ENDIAN_H */ 137 | 138 | #endif /* !_SYSENDIAN_H_ */ 139 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/yescrypt-best.c: -------------------------------------------------------------------------------- 1 | #ifdef __SSE2__ 2 | #include "yescrypt-simd.c" 3 | #else 4 | #include "yescrypt-opt.c" 5 | #endif 6 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/yescrypt-common.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2013-2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #include 22 | #include 23 | 24 | #include "yescrypt.h" 25 | 26 | #define BYTES2CHARS(bytes) \ 27 | ((((bytes) * 8) + 5) / 6) 28 | 29 | #define HASH_SIZE 32 /* bytes */ 30 | #define HASH_LEN BYTES2CHARS(HASH_SIZE) /* base-64 chars */ 31 | 32 | static const char * const itoa64 = 33 | "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 34 | 35 | static uint8_t * encode64_uint32(uint8_t * dst, size_t dstlen, 36 | uint32_t src, uint32_t srcbits) 37 | { 38 | uint32_t bit; 39 | 40 | for (bit = 0; bit < srcbits; bit += 6) { 41 | if (dstlen < 1) 42 | return NULL; 43 | *dst++ = itoa64[src & 0x3f]; 44 | dstlen--; 45 | src >>= 6; 46 | } 47 | 48 | return dst; 49 | } 50 | 51 | static uint8_t * encode64(uint8_t * dst, size_t dstlen, 52 | const uint8_t * src, size_t srclen) 53 | { 54 | size_t i; 55 | 56 | for (i = 0; i < srclen; ) { 57 | uint8_t * dnext; 58 | uint32_t value = 0, bits = 0; 59 | do { 60 | value |= (uint32_t)src[i++] << bits; 61 | bits += 8; 62 | } while (bits < 24 && i < srclen); 63 | dnext = encode64_uint32(dst, dstlen, value, bits); 64 | if (!dnext) 65 | return NULL; 66 | dstlen -= dnext - dst; 67 | dst = dnext; 68 | } 69 | 70 | return dst; 71 | } 72 | 73 | static int decode64_one(uint32_t * dst, uint8_t src) 74 | { 75 | const char * ptr = strchr(itoa64, src); 76 | if (ptr) { 77 | *dst = ptr - itoa64; 78 | return 0; 79 | } 80 | *dst = 0; 81 | return -1; 82 | } 83 | 84 | static const uint8_t * decode64_uint32(uint32_t * dst, uint32_t dstbits, 85 | const uint8_t * src) 86 | { 87 | uint32_t bit; 88 | uint32_t value; 89 | 90 | value = 0; 91 | for (bit = 0; bit < dstbits; bit += 6) { 92 | uint32_t one; 93 | if (decode64_one(&one, *src)) { 94 | *dst = 0; 95 | return NULL; 96 | } 97 | src++; 98 | value |= one << bit; 99 | } 100 | 101 | *dst = value; 102 | return src; 103 | } 104 | 105 | uint8_t * 106 | yescrypt_r(const yescrypt_shared_t * shared, yescrypt_local_t * local, 107 | const uint8_t * passwd, size_t passwdlen, 108 | const uint8_t * setting, 109 | uint8_t * buf, size_t buflen) 110 | { 111 | uint8_t hash[HASH_SIZE]; 112 | const uint8_t * src, * salt; 113 | uint8_t * dst; 114 | size_t prefixlen, saltlen, need; 115 | uint8_t version; 116 | uint64_t N; 117 | uint32_t r, p; 118 | yescrypt_flags_t flags = 0; 119 | 120 | if (setting[0] != '$' || setting[1] != '7') 121 | return NULL; 122 | src = setting + 2; 123 | switch ((version = *src)) { 124 | case '$': 125 | break; 126 | case 'X': 127 | src++; 128 | flags = YESCRYPT_RW; 129 | break; 130 | default: 131 | return NULL; 132 | } 133 | if (*src != '$') { 134 | uint32_t decoded_flags; 135 | if (decode64_one(&decoded_flags, *src)) 136 | return NULL; 137 | flags = decoded_flags; 138 | if (*++src != '$') 139 | return NULL; 140 | } 141 | src++; 142 | 143 | { 144 | uint32_t N_log2; 145 | if (decode64_one(&N_log2, *src)) 146 | return NULL; 147 | src++; 148 | N = (uint64_t)1 << N_log2; 149 | } 150 | 151 | src = decode64_uint32(&r, 30, src); 152 | if (!src) 153 | return NULL; 154 | 155 | src = decode64_uint32(&p, 30, src); 156 | if (!src) 157 | return NULL; 158 | 159 | prefixlen = src - setting; 160 | 161 | salt = src; 162 | src = (uint8_t *)strrchr((char *)salt, '$'); 163 | if (src) 164 | saltlen = src - salt; 165 | else 166 | saltlen = strlen((char *)salt); 167 | 168 | need = prefixlen + saltlen + 1 + HASH_LEN + 1; 169 | if (need > buflen || need < saltlen) 170 | return NULL; 171 | 172 | if (yescrypt_kdf(shared, local, passwd, passwdlen, salt, saltlen, 173 | N, r, p, 0, 0, flags, hash, sizeof(hash))) 174 | return NULL; 175 | 176 | dst = buf; 177 | memcpy(dst, setting, prefixlen + saltlen); 178 | dst += prefixlen + saltlen; 179 | *dst++ = '$'; 180 | 181 | dst = encode64(dst, buflen - (dst - buf), hash, sizeof(hash)); 182 | /* Could zeroize hash[] here, but yescrypt_kdf() doesn't zeroize its 183 | * memory allocations yet anyway. */ 184 | if (!dst || dst >= buf + buflen) /* Can't happen */ 185 | return NULL; 186 | 187 | *dst = 0; /* NUL termination */ 188 | 189 | return buf; 190 | } 191 | 192 | uint8_t * 193 | yescrypt(const uint8_t * passwd, const uint8_t * setting) 194 | { 195 | static uint8_t buf[4 + 1 + 5 + 5 + BYTES2CHARS(32) + 1 + HASH_LEN + 1]; 196 | yescrypt_local_t local; 197 | uint8_t * retval; 198 | 199 | if (yescrypt_init_local(&local)) 200 | return NULL; 201 | retval = yescrypt_r(NULL, &local, 202 | passwd, strlen((char *)passwd), setting, buf, sizeof(buf)); 203 | if (yescrypt_free_local(&local)) 204 | return NULL; 205 | return retval; 206 | } 207 | 208 | uint8_t * 209 | yescrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, 210 | yescrypt_flags_t flags, 211 | const uint8_t * src, size_t srclen, 212 | uint8_t * buf, size_t buflen) 213 | { 214 | uint8_t * dst; 215 | size_t prefixlen = 3 + 1 + 5 + 5; 216 | size_t saltlen = BYTES2CHARS(srclen); 217 | size_t need; 218 | 219 | if (flags) { 220 | if (flags & ~0x3f) 221 | return NULL; 222 | 223 | prefixlen++; 224 | if (flags != YESCRYPT_RW) 225 | prefixlen++; 226 | } 227 | 228 | need = prefixlen + saltlen + 1; 229 | if (need > buflen || need < saltlen || saltlen < srclen) 230 | return NULL; 231 | 232 | if (N_log2 > 63 || ((uint64_t)r * (uint64_t)p >= (1U << 30))) 233 | return NULL; 234 | 235 | dst = buf; 236 | *dst++ = '$'; 237 | *dst++ = '7'; 238 | if (flags) { 239 | *dst++ = 'X'; /* eXperimental, subject to change */ 240 | if (flags != YESCRYPT_RW) 241 | *dst++ = itoa64[flags]; 242 | } 243 | *dst++ = '$'; 244 | 245 | *dst++ = itoa64[N_log2]; 246 | 247 | dst = encode64_uint32(dst, buflen - (dst - buf), r, 30); 248 | if (!dst) /* Can't happen */ 249 | return NULL; 250 | 251 | dst = encode64_uint32(dst, buflen - (dst - buf), p, 30); 252 | if (!dst) /* Can't happen */ 253 | return NULL; 254 | 255 | dst = encode64(dst, buflen - (dst - buf), src, srclen); 256 | if (!dst || dst >= buf + buflen) /* Can't happen */ 257 | return NULL; 258 | 259 | *dst = 0; /* NUL termination */ 260 | 261 | return buf; 262 | } 263 | 264 | uint8_t * 265 | yescrypt_gensalt(uint32_t N_log2, uint32_t r, uint32_t p, 266 | yescrypt_flags_t flags, 267 | const uint8_t * src, size_t srclen) 268 | { 269 | static uint8_t buf[4 + 1 + 5 + 5 + BYTES2CHARS(32) + 1]; 270 | return yescrypt_gensalt_r(N_log2, r, p, flags, src, srclen, 271 | buf, sizeof(buf)); 272 | } 273 | 274 | int 275 | crypto_scrypt(const uint8_t * passwd, size_t passwdlen, 276 | const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t r, uint32_t p, 277 | uint8_t * buf, size_t buflen) 278 | { 279 | yescrypt_local_t local; 280 | int retval; 281 | 282 | if (yescrypt_init_local(&local)) 283 | return -1; 284 | retval = yescrypt_kdf(NULL, &local, 285 | passwd, passwdlen, salt, saltlen, N, r, p, 0, 0, 0, buf, buflen); 286 | if (yescrypt_free_local(&local)) 287 | return -1; 288 | return retval; 289 | } 290 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-0.8.1/yescrypt-platform.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright 2013-2015 Alexander Peslyak 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted. 7 | * 8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 9 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 10 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 11 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 12 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 13 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 14 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 16 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 17 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 18 | * SUCH DAMAGE. 19 | */ 20 | 21 | #include 22 | 23 | #define HUGEPAGE_THRESHOLD (12 * 1024 * 1024) 24 | 25 | #ifdef __x86_64__ 26 | #define HUGEPAGE_SIZE (2 * 1024 * 1024) 27 | #else 28 | #undef HUGEPAGE_SIZE 29 | #endif 30 | 31 | static void * 32 | alloc_region(yescrypt_region_t * region, size_t size) 33 | { 34 | size_t base_size = size; 35 | uint8_t * base, * aligned; 36 | #ifdef MAP_ANON 37 | int flags = 38 | #ifdef MAP_NOCORE 39 | MAP_NOCORE | 40 | #endif 41 | MAP_ANON | MAP_PRIVATE; 42 | #if defined(MAP_HUGETLB) && defined(HUGEPAGE_SIZE) 43 | size_t new_size = size; 44 | const size_t hugepage_mask = (size_t)HUGEPAGE_SIZE - 1; 45 | if (size >= HUGEPAGE_THRESHOLD && size + hugepage_mask >= size) { 46 | flags |= MAP_HUGETLB; 47 | /* 48 | * Linux's munmap() fails on MAP_HUGETLB mappings if size is not a multiple of 49 | * huge page size, so let's round up to huge page size here. 50 | */ 51 | new_size = size + hugepage_mask; 52 | new_size &= ~hugepage_mask; 53 | } 54 | base = mmap(NULL, new_size, PROT_READ | PROT_WRITE, flags, -1, 0); 55 | if (base != MAP_FAILED) { 56 | base_size = new_size; 57 | } else 58 | if (flags & MAP_HUGETLB) { 59 | flags &= ~MAP_HUGETLB; 60 | base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0); 61 | } 62 | 63 | #else 64 | base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0); 65 | #endif 66 | if (base == MAP_FAILED) 67 | base = NULL; 68 | aligned = base; 69 | #elif defined(HAVE_POSIX_MEMALIGN) 70 | if ((errno = posix_memalign((void **)&base, 64, size)) != 0) 71 | base = NULL; 72 | aligned = base; 73 | #else 74 | base = aligned = NULL; 75 | if (size + 63 < size) { 76 | errno = ENOMEM; 77 | } else if ((base = malloc(size + 63)) != NULL) { 78 | aligned = base + 63; 79 | aligned -= (uintptr_t)aligned & 63; 80 | } 81 | #endif 82 | region->base = base; 83 | region->aligned = aligned; 84 | region->base_size = base ? base_size : 0; 85 | region->aligned_size = base ? size : 0; 86 | return aligned; 87 | } 88 | 89 | static inline void 90 | init_region(yescrypt_region_t * region) 91 | { 92 | region->base = region->aligned = NULL; 93 | region->base_size = region->aligned_size = 0; 94 | } 95 | 96 | static int 97 | free_region(yescrypt_region_t * region) 98 | { 99 | if (region->base) { 100 | #ifdef MAP_ANON 101 | if (munmap(region->base, region->base_size)) 102 | return -1; 103 | #else 104 | free(region->base); 105 | #endif 106 | } 107 | init_region(region); 108 | return 0; 109 | } 110 | 111 | int 112 | yescrypt_init_shared(yescrypt_shared_t * shared, 113 | const uint8_t * param, size_t paramlen, 114 | uint64_t N, uint32_t r, uint32_t p, 115 | yescrypt_init_shared_flags_t flags, 116 | uint8_t * buf, size_t buflen) 117 | { 118 | yescrypt_shared_t half1, half2; 119 | uint8_t salt[32]; 120 | 121 | if (flags & YESCRYPT_SHARED_PREALLOCATED) { 122 | if (!shared->aligned || !shared->aligned_size) 123 | return -1; 124 | } else { 125 | init_region(shared); 126 | } 127 | if (!param && !paramlen && !N && !r && !p && !buf && !buflen) 128 | return 0; 129 | 130 | if (yescrypt_kdf(NULL, shared, 131 | param, paramlen, NULL, 0, N, r, p, 0, 0, 132 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 133 | salt, sizeof(salt))) 134 | goto out; 135 | 136 | half1 = half2 = *shared; 137 | half1.aligned_size /= 2; 138 | half2.aligned += half1.aligned_size; 139 | half2.aligned_size = half1.aligned_size; 140 | N /= 2; 141 | 142 | if (p > 1 && yescrypt_kdf(&half1, &half2, 143 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 144 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_2, 145 | salt, sizeof(salt))) 146 | goto out; 147 | 148 | if (yescrypt_kdf(&half2, &half1, 149 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 150 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 151 | salt, sizeof(salt))) 152 | goto out; 153 | 154 | if (yescrypt_kdf(&half1, &half2, 155 | param, paramlen, salt, sizeof(salt), N, r, p, 0, 0, 156 | YESCRYPT_RW | __YESCRYPT_INIT_SHARED_1, 157 | buf, buflen)) 158 | goto out; 159 | 160 | return 0; 161 | 162 | out: 163 | if (!(flags & YESCRYPT_SHARED_PREALLOCATED)) 164 | free_region(shared); 165 | return -1; 166 | } 167 | 168 | int 169 | yescrypt_free_shared(yescrypt_shared_t * shared) 170 | { 171 | return free_region(shared); 172 | } 173 | 174 | int 175 | yescrypt_init_local(yescrypt_local_t * local) 176 | { 177 | init_region(local); 178 | return 0; 179 | } 180 | 181 | int 182 | yescrypt_free_local(yescrypt_local_t * local) 183 | { 184 | return free_region(local); 185 | } 186 | -------------------------------------------------------------------------------- /reference/yescrypt-0.8.1/yescrypt-phc.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/defuse/yescrypt/6548e8b4c5c70505a595bdc3e947831f1d6390eb/reference/yescrypt-0.8.1/yescrypt-phc.pdf -------------------------------------------------------------------------------- /ruby/yescrypt_cli.rb: -------------------------------------------------------------------------------- 1 | require_relative 'Yescrypt.rb' 2 | 3 | if ARGV.length < 1 4 | puts "Not enough arguments." 5 | exit(false) 6 | end 7 | 8 | case ARGV[0] 9 | when "yescrypt" 10 | if ARGV.length != 10 11 | puts "Wrong number of arguments for yescrypt" 12 | exit(false) 13 | end 14 | result = Yescrypt.calculate( 15 | [ARGV[1]].pack("H*"), # password 16 | [ARGV[2]].pack("H*"), # salt 17 | ARGV[3].to_i, # N 18 | ARGV[4].to_i, # r 19 | ARGV[5].to_i, # p 20 | ARGV[6].to_i, # t 21 | ARGV[7].to_i, # g 22 | ARGV[8].to_i, # flags 23 | ARGV[9].to_i # dkLen 24 | ) 25 | print result 26 | when "pwxform" 27 | if ARGV.length != 3 28 | puts "Wrong number of arguments for pwxform" 29 | exit(false) 30 | end 31 | 32 | input = [ARGV[1]].pack("H*") 33 | input = input.unpack("V*") 34 | sbox = [ARGV[2]].pack("H*") 35 | sbox = sbox.unpack("V*") 36 | sbox = Yescrypt::Sbox.new(sbox) 37 | Yescrypt.pwxform(input, sbox) 38 | binary = input.pack("V*") 39 | print binary 40 | when "salsa20_8" 41 | if ARGV.length != 2 42 | puts "Wrong number of arguments for salsa20_8" 43 | exit(false) 44 | end 45 | 46 | binary = [ARGV[1]].pack("H*") 47 | ints = binary.unpack("VVVVVVVVVVVVVVVV") 48 | Yescrypt.salsa20_8_core_ints(ints, 8) 49 | binary = ints.pack("VVVVVVVVVVVVVVVV") 50 | print binary 51 | else 52 | puts "Bad function." 53 | exit(false) 54 | end 55 | 56 | exit(true) 57 | -------------------------------------------------------------------------------- /run-benchmarks.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | # the end result is one of these for each implementation 4 | class ImplementationResult 5 | # TODO: an assoc array for parameters... 6 | # TODO: variables for pwxform and shit 7 | # TODO:...this should actually contain the code for benchmarking this 8 | # implementation 9 | end 10 | 11 | # the result of an individual run 12 | class ImplementationRunResult 13 | attr_accessor :success, :calls_per_sec 14 | end 15 | 16 | class Implementation 17 | attr_accessor :command, :performance_log_scale 18 | 19 | def initialize(command, performance_log_scale) 20 | @command = command 21 | @performance_log_scale = performance_log_scale 22 | end 23 | 24 | # TODO: these all return an ImpelemntationRunResult, note the success member 25 | def runYescryptBenchmark(yescrypt_parameters) 26 | # TODO: commands here, return c/s amount 27 | end 28 | 29 | def runPwxformBenchmark 30 | 31 | end 32 | 33 | def runSalsa20_8Benchmark 34 | 35 | end 36 | 37 | def get_scaled_iteration_count(iteration_count) 38 | performance_log_scale << @performance_log_scale 39 | end 40 | end 41 | 42 | class YescryptParameters 43 | attr_accessor :n, :r, :p, :t, :g, :flags, :dkLen, :benchmark_iterations 44 | 45 | def initialize(n, r, p, t, g, flags, dkLen, benchmark_iterations) 46 | @n = n 47 | @r = r 48 | @p = p 49 | @t = t 50 | @g = g 51 | @flags = flags 52 | @dkLen = dkLen 53 | @benchmark_iterations = benchmark_iterations 54 | end 55 | end 56 | 57 | IMPLEMENTATIONS = [ 58 | # Javascript 59 | Implementation.new( 60 | "node javascript/yescrypt-cli.js", 61 | 0 62 | ), 63 | # PHP 64 | Implementation.new( 65 | "node javascript/yescrypt-cli.js", 66 | -4 67 | ), 68 | ] 69 | 70 | YESCRYPT_PARAMETERS = [ 71 | # TODO: fill in more. 72 | YescryptParameters.new(4, 8, 1, 0, 0, 2048), 73 | YescryptParameters.new(4, 8, 1, 0, 1, 2048) 74 | ] 75 | 76 | class BenchmarkResult 77 | attr_accessor samples, mean 78 | 79 | def initialize(samples) 80 | # TODO: compute the mean etc. from samples 81 | # TODO: 'nil' in samples array means error 82 | @samples = samples 83 | @mean = nil 84 | end 85 | 86 | end 87 | 88 | def benchmark 89 | samples = [] 90 | SAMPLE_COUNT.times do |s| 91 | samples << yield 92 | end 93 | return BenchmarkResult.new(samples) 94 | end 95 | 96 | SAMPLE_COUNT = 5 97 | 98 | IMPLEMENTATIONS.each do |implementation| 99 | 100 | YESCRYPT_PARAMETERS.each do |parameters| 101 | xxx = benchmark do 102 | implementation.runYescryptBenchmark(parameters) 103 | end 104 | end 105 | 106 | xxx = benchmark do 107 | implementation.runPwxformBenchmark() 108 | end 109 | 110 | xxx = benchmark do 111 | implementation.runSalsa20_8Benchmark() 112 | end 113 | 114 | end 115 | 116 | # TODO: output a report 117 | -------------------------------------------------------------------------------- /test-javascript-simd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Build the testing tool. 4 | cd reference/yescrypt-0.8.1/yescrypt-0.8.1 5 | make ref 6 | 7 | ./tester "node ../../../javascript/yescrypt-cli.js SIMD" 8 | 9 | if [ $? -ne 0 ]; then 10 | echo "FAIL." 11 | exit 1 12 | fi 13 | 14 | echo "All tests pass." 15 | exit 0 16 | -------------------------------------------------------------------------------- /test-javascript.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Build the testing tool. 4 | cd reference/yescrypt-0.8.1/yescrypt-0.8.1 5 | make ref 6 | 7 | ./tester "node ../../../javascript/yescrypt-cli.js" 8 | 9 | if [ $? -ne 0 ]; then 10 | echo "FAIL." 11 | exit 1 12 | fi 13 | 14 | echo "All tests pass." 15 | exit 0 16 | -------------------------------------------------------------------------------- /test-php.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Build the testing tool. 4 | cd reference/yescrypt-0.8.1/yescrypt-0.8.1 5 | make ref 6 | ./tester 'php ../../../php/yescrypt_cli.php' 7 | 8 | if [ $? -ne 0 ]; then 9 | echo "FAIL." 10 | exit 1 11 | fi 12 | 13 | echo "All tests pass." 14 | exit 0 15 | -------------------------------------------------------------------------------- /test-python.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Build the testing tool. 4 | cd reference/yescrypt-0.8.1/yescrypt-0.8.1 5 | make ref 6 | 7 | ./tester "python2 ../../../python/yescrypt-cli.py" 8 | 9 | if [ $? -ne 0 ]; then 10 | echo "FAIL." 11 | exit 1 12 | fi 13 | 14 | echo "All tests pass." 15 | exit 0 16 | -------------------------------------------------------------------------------- /test-ruby.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Build the testing tool. 4 | cd reference/yescrypt-0.8.1/yescrypt-0.8.1 5 | make ref 6 | ./tester 'ruby ../../../ruby/yescrypt_cli.rb' 7 | 8 | if [ $? -ne 0 ]; then 9 | echo "FAIL." 10 | exit 1 11 | fi 12 | 13 | echo "All tests pass." 14 | exit 0 15 | -------------------------------------------------------------------------------- /travis/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | case "${TORUN}" in 6 | ruby) 7 | echo "Running the Ruby tests..." 8 | ruby -v 9 | ./test-ruby.sh 10 | ;; 11 | php) 12 | echo "Running the PHP tests..." 13 | php -v 14 | ./test-php.sh 15 | ;; 16 | *) 17 | exit 1 18 | ;; 19 | esac 20 | --------------------------------------------------------------------------------