[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: optimized/specialized/revised scrypt implementations

To: Solar Designer <solar@openwall.com>
Subject: Re: optimized/specialized/revised scrypt implementations
From: Colin Percival <cperciva@tarsnap.com>
Date: Sun, 18 Nov 2012 03:10:05 -0800
Cc: scrypt@tarsnap.com
In-reply-to: <20121117014021.GA15729@openwall.com>
References: <20121117014021.GA15729@openwall.com>

On 11/16/12 17:40, Solar Designer wrote:
> One curious aspect is that it includes a version with 3x interleave
> (3 instances of scrypt are computed with inter-mixed instructions for
> greater instruction-level parallelism).  This confirms my gut feeling
> that Salsa20 core does not contain sufficient parallelism for some
> current CPUs.

BTW, taking advantage of CPU parallelism is useful, but not if it also
allows attackers to take advantage of more parallelism.  One of the topics
I'm going to address in my passwords'12 talk is the choice of building
blocks for scrypt... I'll post my slides here once I've written them.

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid

Follow-Ups:
- Re: optimized/specialized/revised scrypt implementations
  - From: Solar Designer <solar@openwall.com>

References:
- optimized/specialized/revised scrypt implementations
  - From: Solar Designer <solar@openwall.com>

Prev by Date: Re: scrypt time-memory tradeoff
Next by Date: Re: scrypt time-memory tradeoff
Previous by thread: optimized/specialized/revised scrypt implementations
Next by thread: Re: optimized/specialized/revised scrypt implementations
Index(es):
- Date
- Thread