1998: validation vs. cracking speed ratio Bitslice DES made it apparent that even an attacker possessing only the same kind of CPU that is used by the defender (such as in an authentication server) has a speed advantage resulting from the inherent parallelism of password cracking (test many passwords) "You can increase the iteration count, but you're limited with the validation time. [...] it is important to make sure that the best implementation of the same hash, but optimized for cracking (multiple keys at a time), is not much faster than the password validation function." "One-way hash choice: make sure it can't be made faster by a bitslice implementation, or mixing the instructions from two separate hashes (for higher issue rate). That is, the function should have a lot of natural parallelism, so that we can exploit it all in the validation function." Solar Designer, "bitslice & crypt(3) choice", comp.security.unix posting, 1998