[148764] in cryptography@c2.net mail archive
Re: [Cryptography] A modification to scrypt to reduce side channel
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Fri Dec 27 12:01:01 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <CAOLP8p55YPV0VBptL=O=dPGaN8Zft9UbTbFe8bPJBDY0bGSUrw@mail.gmail.com>
Date: Fri, 27 Dec 2013 06:12:46 -0500
To: Bill Cox <waywardgeek@gmail.com>
Cc: =?iso-8859-1?Q?Kriszti=E1n_Pint=E9r?= <pinterkr@gmail.com>,
Colin Percival <cperciva@tarsnap.com>,
Cryptography <cryptography@metzdowd.com>,
Arnold Reinhold <agr@me.com>, scrypt@tarsnap.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1417760574174305518==
Content-Type: multipart/alternative; boundary="Apple-Mail=_009341A0-BCFB-429C-8EB7-409C5078C574"
--Apple-Mail=_009341A0-BCFB-429C-8EB7-409C5078C574
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Dec 26, 2013, at 8:09 PM, Bill Cox wrote:
> .... If we use a memory hard KDF that hashes 4 GB with RNG data on =
our PCs in 1 second....
OK, so now we've moved from abstraction to a concrete proposal.
And just who would use such a KDF? Tying up 4GB for a second is a very =
expensive proposition on a server. People have to manage thousands of =
logins a second, so you're talking about devoting Terabytes of main =
memory - not disk or SSD - *just to logins*.
You've suggested doing the KDF computation on the client. How many =
clients have 4GB of free memory? I've got a laptop with 8GB of memory. =
WHen in active use, it never has even 2GB free. Maybe my laptop can do =
the computation - but it will take a while because it'll have to swap =
stuff out. (And of course then they'll have to swap it back in.) I see =
this happen periodically when I've got a bit too much stuff running, and =
it ain't pretty. Hardly any user would be willing to accept the =
performance loss.
As for portable devices - I'm not sure any of the actually *have* 4GB of =
RAM in total. And the power costs of pegging the CPU for a second are =
non-trivial, too. So basically you're writing them all off.
The parameters you've suggested basically limit secure communication to =
someone with the NSA's resources. :-)
-- Jerry
--Apple-Mail=_009341A0-BCFB-429C-8EB7-409C5078C574
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Dec 26, 2013, at 8:09 PM, Bill Cox =
wrote:</div><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote"><div><font =
class=3D"Apple-style-span" color=3D"#000000">...</font>. If we use =
a memory hard KDF that hashes 4 GB with RNG data on our PCs in 1 =
second....</div></div></div></div></blockquote>OK, so now we've moved =
from abstraction to a concrete proposal.</div><div><br></div><div>And =
just who would use such a KDF? Tying up 4GB for a second is a very =
expensive proposition on a server. People have to manage thousands =
of logins a second, so you're talking about devoting Terabytes of main =
memory - not disk or SSD - *just to =
logins*.</div><div><br></div><div>You've suggested doing the KDF =
computation on the client. How many clients have 4GB of free =
memory? I've got a laptop with 8GB of memory. WHen in active =
use, it never has even 2GB free. Maybe my laptop can do the =
computation - but it will take a while because it'll have to swap stuff =
out. (And of course then they'll have to swap it back in.) I =
see this happen periodically when I've got a bit too much stuff running, =
and it ain't pretty. Hardly any user would be willing to accept =
the performance loss.</div><div><br></div><div>As for portable devices - =
I'm not sure any of the actually *have* 4GB of RAM in total. And =
the power costs of pegging the CPU for a second are non-trivial, too. =
So basically you're writing them all =
off.</div><div><br></div><div>The parameters you've suggested basically =
limit secure communication to someone with the NSA's resources. =
:-)</div><div><div> =
=
=
-- Jerry</div><div><br></div></div></body></html>=
--Apple-Mail=_009341A0-BCFB-429C-8EB7-409C5078C574--
--===============1417760574174305518==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1417760574174305518==--
