[cryptography] Javascript scrypt performance comparison

Krisztián Pintér pinterkr at gmail.com
Sat May 9 07:46:20 EDT 2015

coderman (at Saturday, May 9, 2015, 12:49:22 PM):
>> ... use pseudorandom indexing to access the data, also based on the
>> password ... it is essential to the algorithm, and can not be
>> written in a side channel safe way.

> even paired with a separate pseudo-random sequence?
> both executed in tandem, one just noise. (unused)
> maybe it takes more than one stochastic cover...

if i understand correctly, you want to do a dummy memory access that
does not do anything, one per one actual memory access. this is
something, but not perfect. it is very similar to adding random
latency, or random number of bytes to thwart timing or leaking length.
statistics can be used to undo the random effect. in case of high cost
kdfs, you don't even need repeated measurements, because one single
hashing is so long and involves so many operations, you can probably
do the analysis on the results of a single run.

you can of course increase the number of dummy reads, but it comes
with a severe degradation of performance, which was pretty much the
sole reason for using secret based memory access pattern in the first

there is another option, using a random permutation on the memory
addresses. a permutation destroys all information except equality
(accessing the same address twice). however, you need to apply the
same permutation to the initial writing phase, which leaks information
about the permutation itself. again, it provides some protection, but
not all, and comes with some extra cost.

ideally, we don't want implementors to face such decisions. every time
someone faces a security vs cost decision, there is a chance that he
will choose less security, especially if it is not marketable. it is a
good policy to design and choose crypto primitives that are safe in
their naive implementation. you don't have to work, or work too much
to make them safe. i would go so far to say, even ARX design is
something to avoid if possible, because side-channel safe addition can
be a problem on some platforms.

More information about the cryptography mailing list