On 5/8/15, Solar Designer <[email protected]> wrote: > ... > The reality is: bcrypt, scrypt, and most PHC finalists use password > dependent memory lookups, and thus are not cache-timing safe... > In typical scenarios, this does not matter. In some, it does.
has there been consideration of a processor instruction for hardware implementation resistant to timing attacks? (E.g. like MONTMULT or AES-NI for on-die acceleration of the dependent parts in constant time?) > BTW, a side-channel safe mode (with correspondingly worse security > against offline attacks) might be added to yescrypt later, but given > that much of the problem is about confusion around these issues, it's > unclear if that would help... > > Personally, I intend to opt for greater offline attack resistance, at > least for the next few years. So that's where we'd part ways. it would be interesting to know what a side channel safe yescrypt looks like, even if impractical for near term. P.S. thanks for yescrypt! 1TB Samsung 850 Pro a fun ROM store and totally ridiculous :P best regards, _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
