Personally I think "GPU friendly" is not a great thing for passwords, since
GPUs are asymmetrically more popular with attackers, but you might be
interested in checking out the "Vertcoin" project: https://vertcoin.org/

It's a cryptocoin, similar to Bitcoin, with the gimmick that they have
always tried to target the GPU mining audience. Their proof of work
started out with an adaptive N scrypt algorithm, but when KnC released
scrypt ASICs, they pivoted to a modified Lyra2, at which point a large
botnet took control of most of the mining power, and they pivoted again
with a Lyra2 more finely tuned for modern GPUs.

I think the ideal goal for password algorithms is CPU friendly, where the
most efficient machinery for calculating the hash is a commodity CPU. At
that point, you could roll your own ASICs, but they wouldn't be much better
than what you could just pick up at Best Buy, and you'd lose out on the
economies of scale that CPU vendors have.

- DEAN

It's not that simple. (Maybe you over-simplified on purpose.) There's
a need to distinguish sequential memory-hard (as formally introduced
with scrypt) and parallelizable/amortizable memory-hard. And there are
specific parameters to be "ASIC/GPU resistant" to varying extent. BTW,
the scrypt paper doesn't even mention GPUs.
Yes.

You might misunderstand "memory-hard" as meaning "memory-bound", but
those are distinct properties. (Or maybe you're over-simplifying.)

Memory-hardness is passing onto the attacker the cost of memory itself
(die area occupied by memory), not the cost of providing a certain
memory bandwidth. So you need to distinguish: sequential memory-hard,
parallelizable/amortizable memory-hard, and memory-bound. There may
also be combinations of these.

To address the potential for reduction in the "time" factor in
memory*time in an ASIC with higher memory bandwidth, sequential
memory-hard schemes do quite some computation. The extra bandwidth
isn't really beneficial to an attacker unless there's sufficient memory
(aka sufficient die area occupied by memory) to accommodate a larger
number of instances, and/or there's a corresponding increase in
computation speed within each one instance. This is why some PHC
schemes introduced compute latency hardening through integer
multiplication and/or small S-box lookups (taking on the order of ~1ns
on a CPU and presumably similar in an ASIC).
Yes. As it happens, scrypt at low N and r=1, much like it's "misused"
in Litecoin, is very GPU friendly. Litecoin uses p=1, but if you want
to occupy the entire GPU by one hash computation, you can set p to a
high value (thousands). Of course, ASICs do better yet.

For asymmetric PoW, as it happens Equihash (at least as used in Zcash)
is very GPU friendly. ASICs are likely to do better yet (although it'd
take more R&D effort than Litecoin scrypt ASICs did):

http://www.openwall.com/articles/Zcash-Equihash-Analysis

These two are very different: scrypt is sequential-memory hard, which we
mostly undo with low N and high p, while Equihash is parallelizable
memory-hard and likely memory-bound as it is.
Sort of, but "very unlikely" is an exaggeration. GPUs are not that
specialized, and cost efficiency improvement is generally possible (the
questions are: at what budget and by how much).

That said, I do feel that running on a GPU and not making use of its
computing power (which scrypt and Equihash use little of) is a waste.
So if I were to target a GPU in a sequential-memory hard scheme, I'd
probably include some compute latency hardening through multiplication
e.g. by using yescrypt with unusually tiny pwxform S-boxes (like 256
bytes per instance) or effectively without them at all (a modification,
or size so tiny it's not requiring a local memory lookup but merely a
conditional move from one of a couple of registers).
Yes, but when you consider the overhead of less standard hardware
acquisition and systems administration, and the extra bugs and security
vulnerabilities of GPUs/drivers (forcibly giving up on local security in
those systems), and compare that against deploying HSM-alikes (similar
overhead), the latter may end up winning. They would not provide the
heavy hashing, but instead they'd hold secrets (e.g. a hash encryption
key). You would still be able to do some heavy processing on the host
(in case an HSM secret leaks).
Yes.
That's questionable.

Then there's also that "ROM-port-hardness" aspect I introduced in 2012.
With it in the mix, even ASICs would need to provide the, say, 112 GiB
of memory - and efficiently sharing it across a large number of ASICs
(to amortize its cost to an attacker) isn't that easy nor cheap.
Like I said, yes. But I currently don't recommend that.

BTW, 10ms is a lot for a deployment that is large-scale enough it would
even consider customizing the hardware. It's not typical. But if you
can afford that, it means you can do ~128 MiB (ye)scrypt on CPUs in a
typical dual-socket server. That's unusually high as it is. And you
can add to that e.g. a 112 GiB ROM, still staying only with standard
server hardware (CPUs+RAM). Then why also bother with GPUs?

Alexander

P.S. Why the "Fwd" in the Subject? Are you adding to some old thread?