[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)

To: Solar Designer <solar@openwall.com>
Subject: Re: scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)
From: Colin Percival <cperciva@tarsnap.com>
Date: Sat, 16 Nov 2013 13:48:27 -0800
Cc: scrypt@tarsnap.com
In-reply-to: <20131116020854.GA4910@openwall.com>
References: <CAE_Hg6Zcj_XxkTTwdnXf_pufXymn_td33vkEXoA+iAssjpOMEg@mail.gmail.com> <5286A858.3060906@tarsnap.com> <8D59C062-A34A-4FF9-9B76-5034B1918779@flownet.com> <5286CB88.5010100@tarsnap.com> <20131116020854.GA4910@openwall.com>

On 11/15/13 18:08, Solar Designer wrote:
> On Fri, Nov 15, 2013 at 05:34:00PM -0800, Colin Percival wrote:
>> The scrypt algorithm is specified as operating on arbitrary N; it's just
>> this particular implementation which is limited in the values it can
>> handle.
> 
> When N is not a power of 2, any definition of Integerify() would result
> in a non-uniform distribution of the resulting indices.  While this may
> be acceptable, it let's say does not feel nice.

Having probabilities which are off by less than 2^-128 doesn't exactly matter.

> Which do you think is a better way to handle "odd" total memory sizes
> (if optimal for a certain platform and certain throughput and latency
> constraints):
> 
> 1. Use "odd" values of r.
> 
> -OR-
> 
> 2. Use "odd" values of N _and_ revise Integerify() accordingly
> (arbitrary modulo division?)

No revision necessary: The scrypt algorithm as defined in my paper sets
Integerify = the 128-bit integer generated by interpreting B_{2r-1} as a
little-endian integer, and ROMix explicitly reduces this modulo N.

The "take the bottom n bits of the first word in B_{2r-1}" is just an
optimization for the case where N = 2^n.

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid

Follow-Ups:
- Re: scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)
  - From: Solar Designer <solar@openwall.com>

References:
- Canonical way to invoke the KDF?
  - From: Laurens Van Houtven <_@lvh.cc>
- Re: Canonical way to invoke the KDF?
  - From: Colin Percival <cperciva@tarsnap.com>
- Re: Canonical way to invoke the KDF?
  - From: Ron Garret <ron@flownet.com>
- Re: Canonical way to invoke the KDF?
  - From: Colin Percival <cperciva@tarsnap.com>
- scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)
  - From: Solar Designer <solar@openwall.com>

Prev by Date: scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)
Next by Date: Re: scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)
Previous by thread: scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)
Next by thread: Re: scrypt with "odd" r or N (Re: Canonical way to invoke the KDF?)
Index(es):
- Date
- Thread