On Wed, Jun 04, 2014 at 09:45:16AM -0400, Peter Todd wrote: > Create a secret key that can be decrypted in a known amount of time > using parallel-serial hash chains. The creator can compute the timelock > in parallel, taking advantage of the large amount of cheap parallelism > available today, while others are forced to compute it serially, > constrained by the lack of scalar performance growth.
Nice. On PHC discussions list, we considered how to limit attacker's speedup in computing password hashes (even if the attacker has ASICs and much faster memory, which would allow them to reduce the time factor in area*time). Two main approaches, usable on typical defenders' commodity hardware, are to use integer multiplication (with serial data dependencies on the longest to compute result bits) and rapid random lookups from L1 cache (also with serial dependencies). Bill Cox, who has experience with ASICs, said that these two have relatively little potential to speed up in ASICs vs. commodity CPUs. Much less than typical symmetric crypto primitives. These two approaches are now used in two PHC submissions: Bill's TwoCats and my yescrypt. You could use them, too. That would move the incentive to speeding up those other things, though - so it might or might not meet your goals. PHC discussions list archives are available via a link from: https://password-hashing.net/interaction.html For others reading this, Peter's timelock is also discussed at: https://news.ycombinator.com/item?id=7847687 http://www.reddit.com/r/Bitcoin/comments/27adbq/timelock_timerelease_encryption_incentivised_by/ Alexander _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
