[4346] in cryptography@c2.net mail archive
Re: Strengthening the Passphrase Model
daemon@ATHENA.MIT.EDU (Ian Goldberg)
Thu Mar 18 14:13:25 1999
To: cryptography@c2.net
From: iang@cs.berkeley.edu (Ian Goldberg)
Date: 18 Mar 1999 01:03:57 GMT
In article <v03130300b2e74ce2cecc@[24.128.119.92]>,
Arnold G. Reinhold <reinhold@world.std.com> wrote:
>>I wrote:
>>>2. PGP should burn computer time hashing the passphrase. While you cannot
>>>increase the entropy of a passphrase with an algorithm, you can make
>>>exhaustive search far more difficult.
>
>At 7:47 AM +0000 2/10/99, Antonomasia wrote:
>>
>>>From memory, Rivest and Wagner have a paper on crypto time locks where
>>repeated squaring is reckoned to be incapable of much parallel computing.
>>I think I got it from Rivest's web site in mid-1997.
>>
>
>The paper is "Time-lock puzzles and timed-release Crypto," by Ronald L.
>Rivest, Adi Shamir, and David A. Wagner and is available at
>http://theory.lcs.mit.edu/~rivest/publications.html. It presents a clever
>idea that lets you quickly create a problem which takes a long, but roughly
>calibrated time to solve and has little opportunity for speed up by
>parallelism..
>
>However, I don't see how it applies here. Finding a passphrase by
>exhaustive search is an inherently parallel problem.
Indeed; the more appropriate paper to read is "Secure Applications of
Low-Entropy Keys." John Kelsey, Bruce Schneier, and David Wagner. 1997
Information Security Workshop.
http://www.cs.berkeley.edu/~daw/papers/keystretch.ps
- Ian
