[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)

Trevor Perrin trevp at trevp.net
Thu Jul 24 00:12:38 PDT 2014

On Wed, Jul 23, 2014 at 11:09 AM, David Leon Gil <coruus at gmail.com> wrote:
> Joe, Trevor: These strategies are less advantageous than it seems against
> most attackers. (The NSA possibly excepted.)
> In this sort of attack, you're strongly bounded by memory throughput; you
> can execute many hashes on an ASIC or FPGA in the time it takes to access
> memory. The sort of fixed condition you're considering can be checked on the
> ASIC without a memory request.
> (Some of djb's papers on brute-force touch on this.)
> A much much better way to spend the time is choosing, e.g., a larger/longer
> instance of scrypt. (Or whatever PHC selects.)
> Robert: If your host name and IP address change frequently, just use your
> name, or your zip code, or a short, very easy-to-remember nonce.

So I think you're assuming the verifier is willing to perform
expensive scrypt calculations, and use some context information as a
salt, and proposing these could enable smaller fingerprints.

That would be interesting to assess if there were numbers.

But do note you're changing the rules, since what Joe and I were
discussing doesn't need those assumptions.


More information about the Messaging mailing list