[148769] in cryptography@c2.net mail archive
Re: [Cryptography] Serious paranoia...
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Kriszti=E1n_Pint=E9)
Fri Dec 27 12:05:22 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 27 Dec 2013 13:08:40 +0100
From: =?iso-8859-1?Q?Kriszti=E1n_Pint=E9r?= <pinterkr@gmail.com>
To: Theodore Ts'o <tytso@mit.edu>
In-Reply-To: <20131227000251.GA6499@thunk.org>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Theodore Ts'o (at Friday, December 27, 2013, 1:02:51 AM):
> But first, if you think it's easy, sure, propose a new KDF that you
> think is superior.
that is exactly my problem. i can't. there are proposals out there, i
have an idea too, that don't use secret based indexing. however, those
are, including mine, not sequential memory hard, thus not in every
respect better than scrypt. it is a tradeoff.
and the only thing i could come up with to prevent filling the RAM
with secret is simply using encryption with a random key. it adds CPU
load which is a pure disadvantage, since the brute force
implementation can simply skip it. it is not a show stopper though,
but i doubt i can convince anybody to do that. luckily, it is an
implementation issue, and can be added at any time to any algorithm
with full backward compatibility.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
