[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150417224037.GA28900@openwall.com>
Date: Sat, 18 Apr 2015 01:40:37 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] "Attack on the iterative compression function"
Dmitry,
On Fri, Apr 17, 2015 at 10:16:05PM +0300, Solar Designer wrote:
> I think it would help this community if you try applying your attack to
> scrypt proper. Initially for storage of just the last sub-blocks (in
> addition to some full blocks), and then (after publishing your initial
> results) also for storage of arbitrary sub-blocks. Try to identify
> which ones and how many are optimal to store. Perhaps the "how many"
> will vary depending on the higher-level TMTO factor that you apply, so
> perhaps the SMix-level and BlockMix-level TMTO factors would need to be
> optimized together.
>
> The scrypt paper is very careful when it talks about a "constant factor"
> without specifying any upper bound on it, so it won't exactly be a break
> of scrypt if you show that this constant factor is higher than is
> possible with an SMix-level attack alone. But it will be a significant
> new result.
Actually, if you show that the reduction of memory-time product for
scrypt is a function of r and has no constant upper bound, then this may
be a (theoretical) break of scrypt. You could start by considering
extreme cases such as N=2 and high r, then N=4 and high r, and then
generalize this to any N and r, and see what happens for sane r.
I expect that scrypt at high r might in fact be broken in this sense.
Alexander
Powered by blists - more mailing lists