[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrypt using SHA-3

On 04/28/14 17:33, Ryan Carboni wrote:
> To my knowledge, SHA-3 uses a sponge function, allowing it to have arbitrary length.
> Will there be a version of scrypt which replaces the Salsa stream cipher and the
> use of SHA256 and replaces it with SHA-3? While I'm not sure of the die area of
> SHA-3, it does require as much RAM to run as SHA-256
> (https://eprint.iacr.org/2009/260.pdf), but that can be remedied by
> standardizing multi-kibibyte long outputs and using numerous iterations.

That would weaken scrypt by a constant factor.  You want to maximize
	[software bandwidth]^2 / [hardware bandwidth]
and keccak has very high hardware bandwidth.

A few more comments here:

Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid