[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrypt using SHA-3

To: Ryan Carboni <ryacko@gmail.com>, scrypt@tarsnap.com
Subject: Re: Scrypt using SHA-3
From: Colin Percival <cperciva@tarsnap.com>
Date: Mon, 28 Apr 2014 17:46:00 -0700
In-reply-to: <CAO7N=i0jTBam-Lg2Nr_9-i0+1Mdr1Hrue1+d5u_YEzU7DgJfoQ@mail.gmail.com>
References: <CAO7N=i0jTBam-Lg2Nr_9-i0+1Mdr1Hrue1+d5u_YEzU7DgJfoQ@mail.gmail.com>

On 04/28/14 17:33, Ryan Carboni wrote:
> To my knowledge, SHA-3 uses a sponge function, allowing it to have arbitrary length.
> 
> Will there be a version of scrypt which replaces the Salsa stream cipher and the
> use of SHA256 and replaces it with SHA-3? While I'm not sure of the die area of
> SHA-3, it does require as much RAM to run as SHA-256
> (https://eprint.iacr.org/2009/260.pdf), but that can be remedied by
> standardizing multi-kibibyte long outputs and using numerous iterations.

That would weaken scrypt by a constant factor.  You want to maximize
	[software bandwidth]^2 / [hardware bandwidth]
and keccak has very high hardware bandwidth.

A few more comments here:
https://news.ycombinator.com/item?id=7482532

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid

References:
- Scrypt using SHA-3
  - From: Ryan Carboni <ryacko@gmail.com>

Prev by Date: Re: Scrypt using SHA-3
Next by Date: Re: Scrypt using SHA-3
Previous by thread: Re: Scrypt using SHA-3
Next by thread: Re: Scrypt using SHA-3
Index(es):
- Date
- Thread