Date: Sat, 19 Jan 2013 00:39:08 -0800 From: Colin Percival <cperciva@...mni.sfu.ca> To: crypt-dev@...ts.openwall.com CC: Christian Forler <christian.forler@...-weimar.de> Subject: Re: Password Scrambling On 01/19/13 00:27, Christian Forler wrote: > Am 19.01.2013 00:54, schrieb >> On 01/18/13 13:13, Christian Forler wrote: >>> Anyway! In the next couple of weeks, we will write an academic paper >>> introducing a new password scrambler (key derivation function). After >>> that, I will try to supply you with an abbreviated version of our >>> extended abstract, if desired. >> >> I'd be happy to see this. I assume you're familiar with my work on scrypt. > > Of course, I'm familiar with scrypt. You did a great job. Your idea of > using a memory-hard algorithm was beautiful. Note that it needs to be *sequential* memory-hard, not just memory-hard -- it's easy to construct functions which need a lot of RAM to compute, but much harder to construct functions which require a lot of RAM *and* cannot be sped up by using O(N) CPUs. In hardware, of course, extra CPUs are "free". > For us scrypt was a great start, and you can bet that we will discuss > scrypt in our upcoming paper. > > BTW I have two questions regarding scrypt. > 1) Why using two different crypto primitives, i.e., Salsa/20 (MFcrypt) > and SHA-1 (PBKDF2), instead of one? I used salsa20/8 in the sequential memory-hard component because it gave the best strength against hardware attack -- because it's both fast in software and slow(ish) in hardware. I used PBKDF2-SHA256 in the "wrapper" because it's a standard and well trusted construction. > 2) Why is PBKDF2 called twice and not once? Because I wanted to allow scrypt to take arbitary input and output sizes, while having the sequential memory-hard component work with a fixed block size. I don't use PBKDF2 for any computational hardness; rather, it's a safe way to spread entropy around. > Nevertheless, in IMHO is scrypt superior to all other common password > scrambling algorithms like md5crypt, crypt, PBKDF1/2, bcrypt, etc. I wouldn't have bothered if it wasn't. ;-) Colin Percival
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.