[cryptography] Javascript scrypt performance comparison

coderman coderman at gmail.com
Fri May 8 21:56:06 EDT 2015


On 5/8/15, Solar Designer <solar at openwall.com> wrote:
> ...
> The reality is: bcrypt, scrypt, and most PHC finalists use password
> dependent memory lookups, and thus are not cache-timing safe...
> In typical scenarios, this does not matter.  In some, it does.

has there been consideration of a processor instruction for hardware
implementation resistant to timing attacks? (E.g. like MONTMULT or
AES-NI for on-die acceleration of the dependent parts in constant
time?)



> BTW, a side-channel safe mode (with correspondingly worse security
> against offline attacks) might be added to yescrypt later, but given
> that much of the problem is about confusion around these issues, it's
> unclear if that would help...
>
> Personally, I intend to opt for greater offline attack resistance, at
> least for the next few years.  So that's where we'd part ways.

it would be interesting to know what a side channel safe yescrypt
looks like, even if impractical for near term.

P.S. thanks for yescrypt! 1TB Samsung 850 Pro a fun ROM store and
totally ridiculous :P

best regards,


More information about the cryptography mailing list