coderman at gmail.com
Fri May 8 21:56:06 EDT 2015
On 5/8/15, Solar Designer <solar at openwall.com> wrote:
> The reality is: bcrypt, scrypt, and most PHC finalists use password
> dependent memory lookups, and thus are not cache-timing safe...
> In typical scenarios, this does not matter. In some, it does.
has there been consideration of a processor instruction for hardware
implementation resistant to timing attacks? (E.g. like MONTMULT or
AES-NI for on-die acceleration of the dependent parts in constant
> BTW, a side-channel safe mode (with correspondingly worse security
> against offline attacks) might be added to yescrypt later, but given
> that much of the problem is about confusion around these issues, it's
> unclear if that would help...
> Personally, I intend to opt for greater offline attack resistance, at
> least for the next few years. So that's where we'd part ways.
it would be interesting to know what a side channel safe yescrypt
looks like, even if impractical for near term.
P.S. thanks for yescrypt! 1TB Samsung 850 Pro a fun ROM store and
totally ridiculous :P
More information about the cryptography