[cryptography] Current state of brute-forcing random keys?
solar at openwall.com
Fri Jun 10 21:22:55 EDT 2011
I agree with your comments on the different kinds of estimates, and on
On Fri, Jun 10, 2011 at 12:53:26AM -0500, Marsh Ray wrote:
> On 06/09/2011 08:08 PM, Solar Designer wrote:
> >(I never had an HP RPN calculator, but I still have two different
> >Soviet-made programmable RPN calculators in working order.
> Cool. Out of curiosity, did they also call it "Reverse Polish Notation",
> or did they have another name for it?
In the original manuals I have, it's neither. They mention "stack
memory" and explain how to use the calculators. However, other texts in
Russian do refer to "reverse Polish notation" or "postfix notation".
> >In the scrypt design, there was no attempt to make something too large
> >to fit, but rather simply to consume more die area and increase cost.
> That's certainly valuable, but I think the biggest design payoff comes
> if you can force even the most advanced attacker to move data off and on
> the chip. Anything smaller than that amounts to giving large-die
> attackers a huge advantage over the typical defender.
Yes, perhaps, assuming that as a defender you do have to move data off
and on the chip already (if not, then you're not making much use of RAM).
> Of course, as Nico pointed out such a thing will not be usable
> everywhere. But not everything has to run on a cell phone, right?
FWIW, when I ran the scrypt 1.1.6 program with default settings on a
Pentium 3 at 1 GHz, it decided to use 32 MB of RAM (based on its CPU
benchmark). I guess it'd be similar on current cell phones.
More information about the cryptography