Light use of ROM on SSD Rather than use our SSD ROM throughout hash computation, we can access it just once before a final cryptographically secure step (e.g., before the final PBKDF2-HMAC-SHA-256 invocation in a revision of scrypt) This is much simpler to implement and it avoids the issues/concerns with using SSDs It is friendly towards other uses of the same SSDs since we would only be making ~1000 requests/s from each machine (one request per hash computed), which is more than an order of magnitude below SSDs' IOPS capacity The attacker will need to have access to a copy of the SSD ROM for offline password cracking, but will not need to distribute it to attack nodes