[cryptography] Current state of brute-forcing random keys?

Solar Designer solar at openwall.com
Fri Jun 10 21:22:55 EDT 2011


I agree with your comments on the different kinds of estimates, and on
their (in)accuracy.

On Fri, Jun 10, 2011 at 12:53:26AM -0500, Marsh Ray wrote:
> On 06/09/2011 08:08 PM, Solar Designer wrote:
> >(I never had an HP RPN calculator, but I still have two different
> >Soviet-made programmable RPN calculators in working order.
> Cool. Out of curiosity, did they also call it "Reverse Polish Notation", 
> or did they have another name for it?

In the original manuals I have, it's neither.  They mention "stack
memory" and explain how to use the calculators.  However, other texts in
Russian do refer to "reverse Polish notation" or "postfix notation".

> >In the scrypt design, there was no attempt to make something too large
> >to fit, but rather simply to consume more die area and increase cost.
> That's certainly valuable, but I think the biggest design payoff comes 
> if you can force even the most advanced attacker to move data off and on 
> the chip. Anything smaller than that amounts to giving large-die 
> attackers a huge advantage over the typical defender.

Yes, perhaps, assuming that as a defender you do have to move data off
and on the chip already (if not, then you're not making much use of RAM).

> Of course, as Nico pointed out such a thing will not be usable 
> everywhere. But not everything has to run on a cell phone, right?

FWIW, when I ran the scrypt 1.1.6 program with default settings on a
Pentium 3 at 1 GHz, it decided to use 32 MB of RAM (based on its CPU
benchmark).  I guess it'd be similar on current cell phones.


More information about the cryptography mailing list