The input to the hash function is predictable. You can thus (depending on
how the hash function is constructed) precalculate some portion of the S2K
function.
For example: For SHA-1 and SHA-2, message expansion is independent of the
chaining value. So for, e.g., an 8 byte password, you only need to expand
the message schedule *once*.
See https://github.com/google/end-to-end/issues/150
On Thu, Apr 23, 2015 at 12:16 AM Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Thu, 23 Apr 2015 02:46, coruus(_at_)gmail(_dot_)com said:
S2K with MD hashes is a horrible KDF. It is very very much worse than
PBKDF2.
Care to explain?
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp