[Cryptography] Serious paranoia...
Krisztián Pintér
pinterkr at gmail.com
Fri Dec 27 07:08:40 EST 2013
Theodore Ts'o (at Friday, December 27, 2013, 1:02:51 AM):
> But first, if you think it's easy, sure, propose a new KDF that you
> think is superior.
that is exactly my problem. i can't. there are proposals out there, i
have an idea too, that don't use secret based indexing. however, those
are, including mine, not sequential memory hard, thus not in every
respect better than scrypt. it is a tradeoff.
and the only thing i could come up with to prevent filling the RAM
with secret is simply using encryption with a random key. it adds CPU
load which is a pure disadvantage, since the brute force
implementation can simply skip it. it is not a show stopper though,
but i doubt i can convince anybody to do that. luckily, it is an
implementation issue, and can be added at any time to any algorithm
with full backward compatibility.
More information about the cryptography
mailing list