Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Dec 2013 06:31:43 +0400
From: Solar Designer <solar@...nwall.com>
To: crypt-dev@...ts.openwall.com
Subject: Re: scrypt parallelism vs. area-time vs. TMTO resistance

On Thu, Dec 19, 2013 at 06:08:53AM +0400, Solar Designer wrote:
>  * Classic scrypt is available by setting flags to ESCRYPT_WORM [...]
> [...] In this mode, the thread-local memory region (RAM)
>  * is first sequentially written to and then randomly read from.  This
>  * algorithm is friendly towards time-memory tradeoffs, available both to
>  * defenders (albeit not in this implementation) and to attackers.
>  *
>  * Setting ESCRYPT_RW adds extra random reads and writes to the thread-local
>  * memory region (RAM), which makes time-memory tradeoffs less efficient.
>  * This may be used to slow down the kinds of attackers who would otherwise
>  * benefit from classic scrypt's efficient time-memory tradeoff.

I realized the above quote may be confusing in what "thread-local memory
region" refers to, so I'd like to clarify: it's about possible use of
threads by the calling application, not about possible (additional) use
of threads (for p>1) by an optimized implementation of escrypt.  [ The
comment talks about it because there's also a possible data structure
that is shared between the application-level threads (if they exist at
all), and is naturally read-only to the threads. ]

In other words, this quote's mention of threads is irrelevant to the
(different) threads that I was talking about in the previous message.
The rest of the source code comment that this quote came from is
nevertheless relevant.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ