[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrypt using SHA-3

Thank you, that's interesting.

Now, just a minor question about the influence of various variables for Scrypt.

Would halving N and doubling r reduce CPU consumption not weaken security excessively? I'm only asking because my webhost focuses on CPU operations.

On Mon, Apr 28, 2014 at 5:47 PM, Colin Percival <cperciva@tarsnap.com> wrote:
On 04/28/14 17:33, Ryan Carboni wrote:
> To my knowledge, SHA-3 uses a sponge function, allowing it to have arbitrary length.
> Will there be a version of scrypt which replaces the Salsa stream cipher and the
> use of SHA256 and replaces it with SHA-3? While I'm not sure of the die area of
> SHA-3, it does require as much RAM to run as SHA-256
> (https://eprint.iacr.org/2009/260.pdf), but that can be remedied by
> standardizing multi-kibibyte long outputs and using numerous iterations.

That would weaken scrypt by a constant factor.  You want to maximize
        [software bandwidth]^2 / [hardware bandwidth]
and keccak has very high hardware bandwidth.

A few more comments here:

Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid