On Wed, Jul 23, 2014 at 11:09 AM, David Leon Gil <[email protected]> wrote: > Joe, Trevor: These strategies are less advantageous than it seems against > most attackers. (The NSA possibly excepted.) > > In this sort of attack, you're strongly bounded by memory throughput; you > can execute many hashes on an ASIC or FPGA in the time it takes to access > memory. The sort of fixed condition you're considering can be checked on the > ASIC without a memory request. > > (Some of djb's papers on brute-force touch on this.) > > A much much better way to spend the time is choosing, e.g., a larger/longer > instance of scrypt. (Or whatever PHC selects.) > > Robert: If your host name and IP address change frequently, just use your > name, or your zip code, or a short, very easy-to-remember nonce.
So I think you're assuming the verifier is willing to perform expensive scrypt calculations, and use some context information as a salt, and proposing these could enable smaller fingerprints. That would be interesting to assess if there were numbers. But do note you're changing the rules, since what Joe and I were discussing doesn't need those assumptions. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
