-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 04/23/2015 05:18 PM, Earle Lowe wrote:
The maximum work factor for RFC4800 S2K is lower than the maximum
for (eg) PBKDF2
Yes, although it is possible to match ones commonly used now (1k-3k)
and have a reasonable margin for raising the value (hitting around
100k is not a problem, which keeps the now-dying Moore law at bay for
another 10 yrs at worst).
As the maximum for RFC4800 is specified in bytes, the iteration
count (number of hash invocations) goes down as the size of the
hash increases.
The max iteration count for SHA1 ~= 2^22; SHA256 ~= 2^21; SHA512
~= 2^20, etc, etc
(65011712 / sizeof hash)
So in this case, you can have a much higher work factor for the
other algorithms.
Looking at section 3.7.1.3, the formula for the work count is defined as:
#define EXPBIAS 6
count = ((Int32)16 + (c & 15)) << ((c >> 4) + EXPBIAS);
where c is the octet-sized value stored. I could not find the
dependence of the work factor from the hash size: could you possibly
point me to it?
Although I'm not sure it really matters that much when
off-the-shelf and cheap GPUs can do billions of these a second.
With respect to this, picking a memory hard KDF such as scrypt
nullifies the benefits of massively parallel hardware, as there's no
way of getting both fast and large memories for [G|C]PUs, and a
sizeable amount of SRAM takes up a lot of space in a dedicated ASIC
breaker.
Cheers
Alessandro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlU5N7MACgkQE+mB79BmI3GURAD8D6g/znTgj2uZ7IwFwf7hoqiR
CP7jmeOwXvm4LHlCQ3QA/jpoVvSn+UJ0v89+RWex0HigMkqSVd3lVFe+7as7FkBG
=WJoE
-----END PGP SIGNATURE-----
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp