Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Jan 2013 00:39:08 -0800
From: Colin Percival <>
CC: Christian Forler <>
Subject: Re: Password Scrambling

On 01/19/13 00:27, Christian Forler wrote:
> Am 19.01.2013 00:54, schrieb
>> On 01/18/13 13:13, Christian Forler wrote:
>>> Anyway! In the next couple of weeks, we will write an academic paper
>>> introducing a new password scrambler (key derivation function). After
>>> that, I will try to supply you with an abbreviated version of our
>>> extended abstract, if desired.
>> I'd be happy to see this.  I assume you're familiar with my work on scrypt.
> Of course, I'm familiar with scrypt. You did a great job. Your idea of
> using a memory-hard algorithm was beautiful.

Note that it needs to be *sequential* memory-hard, not just memory-hard -- it's
easy to construct functions which need a lot of RAM to compute, but much harder
to construct functions which require a lot of RAM *and* cannot be sped up by
using O(N) CPUs.  In hardware, of course, extra CPUs are "free".

> For us scrypt was a great start, and you can bet that we will discuss
> scrypt in our upcoming paper.
> BTW I have two questions regarding scrypt.
> 1) Why using two different crypto primitives, i.e., Salsa/20 (MFcrypt)
> and SHA-1 (PBKDF2), instead of one?

I used salsa20/8 in the sequential memory-hard component because it gave
the best strength against hardware attack -- because it's both fast in
software and slow(ish) in hardware.

I used PBKDF2-SHA256 in the "wrapper" because it's a standard and well
trusted construction.

> 2) Why is PBKDF2 called twice and not once?

Because I wanted to allow scrypt to take arbitary input and output sizes,
while having the sequential memory-hard component work with a fixed block
size.  I don't use PBKDF2 for any computational hardness; rather, it's a
safe way to spread entropy around.

> Nevertheless, in IMHO is scrypt superior to all other common password
> scrambling algorithms like md5crypt, crypt, PBKDF1/2, bcrypt, etc.

I wouldn't have bothered if it wasn't. ;-)

Colin Percival

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.