[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] A modification to scrypt to reduce side channel risk

On Dec 26, 2013, at 8:09 PM, Bill Cox wrote:
....  If we use a memory hard KDF that hashes 4 GB with RNG data on our PCs in 1 second....
OK, so now we've moved from abstraction to a concrete proposal.

And just who would use such a KDF?  Tying up 4GB for a second is a very expensive proposition on a server.  People have to manage thousands of logins a second, so you're talking about devoting Terabytes of main memory - not disk or SSD - *just to logins*.

You've suggested doing the KDF computation on the client.  How many clients have 4GB of free memory?  I've got a laptop with 8GB of memory.  WHen in active use, it never has even 2GB free.  Maybe my laptop can do the computation - but it will take a while because it'll have to swap stuff out.  (And of course then they'll have to swap it back in.)  I see this happen periodically when I've got a bit too much stuff running, and it ain't pretty.  Hardly any user would be willing to accept the performance loss.

As for portable devices - I'm not sure any of the actually *have* 4GB of RAM in total.  And the power costs of pegging the CPU for a second are non-trivial, too.  So basically you're writing them all off.

The parameters you've suggested basically limit secure communication to someone with the NSA's resources.  :-)
                                                        -- Jerry