[messaging] Reliable Security Estimates for Key Stretching

Nadim Kobeissi nadim at nadim.computer
Tue Jun 2 08:03:28 PDT 2015

What are reliable methods to estimate relative added bits of security via
key stretching algorithms such as scrypt?

This is fundamentally a shaky question, because the slowdowns given by key
stretching are relative and measures in "seconds" depend on hardware. There
is, however, some existing literature on the subject:

"With simple iterated password hashing, a modern CPU
can compute a hash function like SHA-256 at around
10 MHz [1] (10 million SHA-256 computations per sec-
ond), meaning that if we slow down legitimate users by
≈ 2 ms we can add 14 bits to the effective strength of
a password, and we can add 24 bits at a cost of ≈ 2 s." [0]

What is the validity of such methods of estimation when converted to
memory-hard key stretching such as scrypt? Or more traditional hash-based
key stretching such as bcrypt or PBKDF2?

A discussion with the goal of ascertaining the added value of key
stretching methods, described in bits of security, might be worthwhile for
people creating encryption software.


[0 ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150602/8a583355/attachment.html>

More information about the Messaging mailing list