[Cryptography] A modification to scrypt to reduce side channel risk
Jerry Leichter
leichter at lrw.com
Fri Dec 27 06:12:46 EST 2013
On Dec 26, 2013, at 8:09 PM, Bill Cox wrote:
> .... If we use a memory hard KDF that hashes 4 GB with RNG data on our PCs in 1 second....
OK, so now we've moved from abstraction to a concrete proposal.
And just who would use such a KDF? Tying up 4GB for a second is a very expensive proposition on a server. People have to manage thousands of logins a second, so you're talking about devoting Terabytes of main memory - not disk or SSD - *just to logins*.
You've suggested doing the KDF computation on the client. How many clients have 4GB of free memory? I've got a laptop with 8GB of memory. WHen in active use, it never has even 2GB free. Maybe my laptop can do the computation - but it will take a while because it'll have to swap stuff out. (And of course then they'll have to swap it back in.) I see this happen periodically when I've got a bit too much stuff running, and it ain't pretty. Hardly any user would be willing to accept the performance loss.
As for portable devices - I'm not sure any of the actually *have* 4GB of RAM in total. And the power costs of pegging the CPU for a second are non-trivial, too. So basically you're writing them all off.
The parameters you've suggested basically limit secure communication to someone with the NSA's resources. :-)
-- Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131227/9a6f4a51/attachment.html>
More information about the cryptography
mailing list