On Thu, May 31, 2012 at 10:43 AM, Adam Back <a...@cypherspace.org> wrote: > One quite generic argument I could suggest for being wary of scrypt would be > if someone said, hey here's my new hash function, use it instead of SHA1, > its "better" - you would and should very wary. A lot of public review goes > into finding a good hash algorithm. (Yeah I know SHA1 has a chink in its > armor now, but you get the point).
Yes, but note that one could address that with some assumptions, and with some techniques that one would reject when making a better hash -- the point is to be slow, so things that make a PBKDF slower are OK: PBKDF2' = PBKDF2(P' = to_password(memory_hard(P, S, p)) + to_password(PBKDF2(P, S, p)), S, p) where P, S, and p are the password, salt and PBKDF parameters, to_password() generates a password from a key, and + concatenates strings. No one would build an H' from H that way. But for a PBKDF it seems sensible (but see below). Can PBKDF2' be weaker than PBKDF2? As long as PBKDF2 does not throw away any entropy, and as long as knowing one portion of the password (say, if the memory_hard function turns out to be weak) is not enough to guess the remainder from PBKDF2's output, then I think the answer has to be "no". Now, I'm making assumptions here. Clearly PBKDF2 can toss some entropy out, for example, so at least one of my two assumptions is incorrect, but is it enough to wreck the security of my PBKDF2' construction? Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography