[messaging] Reliable Security Estimates for Key Stretching
nadim at nadim.computer
Tue Jun 2 08:03:28 PDT 2015
What are reliable methods to estimate relative added bits of security via
key stretching algorithms such as scrypt?
This is fundamentally a shaky question, because the slowdowns given by key
stretching are relative and measures in "seconds" depend on hardware. There
is, however, some existing literature on the subject:
"With simple iterated password hashing, a modern CPU
can compute a hash function like SHA-256 at around
10 MHz  (10 million SHA-256 computations per sec-
ond), meaning that if we slow down legitimate users by
≈ 2 ms we can add 14 bits to the effective strength of
a password, and we can add 24 bits at a cost of ≈ 2 s." 
What is the validity of such methods of estimation when converted to
memory-hard key stretching such as scrypt? Or more traditional hash-based
key stretching such as bcrypt or PBKDF2?
A discussion with the goal of ascertaining the added value of key
stretching methods, described in bits of security, might be worthwhile for
people creating encryption software.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging