Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20121116042112.GA12087@openwall.com>
Date: Fri, 16 Nov 2012 08:21:12 +0400
From: Solar Designer <solar@...nwall.com>
To: Colin Percival <cperciva@...snap.com>
Cc: crypt-dev@...ts.openwall.com
Subject: revising scrypt to use more memory per time

Colin, all -

Besides possibly reducing the Salsa20 rounds count (which has the
side-effect of reducing scalability for concurrent instances on
multi-CPU systems), what do you think of reducing the iteration count of
the second loop in SMix?

Having it run for exactly N iterations appears to be arbitrary.  At N,
it uses about 63% of V elements.  At e.g. N/16, it'd use about 6% of V
elements - but the total running time of scrypt will be almost twice
lower, thereby letting us use a twice higher N.  So for the same running
time the absolute number of N elements accessed by SMix's second loop
would reduce by about a factor of 5 (63% to 12% of original N), but the
memory usage would be doubled.  Sounds like a good trade-off to me.
In fact, we could probably take it further: as long as it's not known in
advance which V elements will be needed, the attacker has to either
consume memory to store them all or recompute them as needed from the
elements that the attacker does store - the same TMTO that scrypt has in
its original design.

A drawback is that defeating this TMTO becomes harder.  It may amount to
revising the first loop such that on one hand all intermediate values
still have to be computed, but on the other it is no longer practical to
compute one V element from another.  I think this may be accomplished by
storing H2(X) instead of X itself, where H2() is some cryptographic hash
function different from H() (e.g., it can be H() applied to slightly
different input, such as with shuffling or with a constant XOR'ed in).

What do you think?

BTW, I am currently posting messages on scrypt proper to the scrypt
list, but on possible obviously incompatible changes to scrypt to this
list.  Is this fine, or should I move all scrypt-related discussions,
including of obviously incompatible and major changes, to the scrypt
list?  I guess that at some point the proposed changes might be so
invasive that there won't be much left from the original scrypt, making
this obviously off-topic for the scrypt list. ;-)  So compatibility with
official scrypt is where I draw the line now.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.