Revising scrypt's ROMix algorithm ROMix algorithm description by Colin Percival, "Stronger key derivation via sequential memory-hard functions", 2009 What if we reuse the same ROM across hash computations? Not a sequential memory-hard function anymore, but the ROM can be arbitrarily large for any throughput and latency Attacker's cost per candidate password tested is in ROM access ports and bandwidth Can do it once Any iteration count