[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)
Trevor Perrin
trevp at trevp.net
Thu Jul 24 00:12:38 PDT 2014
On Wed, Jul 23, 2014 at 11:09 AM, David Leon Gil <coruus at gmail.com> wrote:
> Joe, Trevor: These strategies are less advantageous than it seems against
> most attackers. (The NSA possibly excepted.)
>
> In this sort of attack, you're strongly bounded by memory throughput; you
> can execute many hashes on an ASIC or FPGA in the time it takes to access
> memory. The sort of fixed condition you're considering can be checked on the
> ASIC without a memory request.
>
> (Some of djb's papers on brute-force touch on this.)
>
> A much much better way to spend the time is choosing, e.g., a larger/longer
> instance of scrypt. (Or whatever PHC selects.)
>
> Robert: If your host name and IP address change frequently, just use your
> name, or your zip code, or a short, very easy-to-remember nonce.
So I think you're assuming the verifier is willing to perform
expensive scrypt calculations, and use some context information as a
salt, and proposing these could enable smaller fingerprints.
That would be interesting to assess if there were numbers.
But do note you're changing the rules, since what Joe and I were
discussing doesn't need those assumptions.
Trevor
More information about the Messaging
mailing list