What are reliable methods to estimate relative added bits of security via key stretching algorithms such as scrypt?
This is fundamentally a shaky question, because the slowdowns given by key stretching are relative and measures in "seconds" depend on hardware. There is, however, some existing literature on the subject: "With simple iterated password hashing, a modern CPU can compute a hash function like SHA-256 at around 10 MHz [1] (10 million SHA-256 computations per sec- ond), meaning that if we slow down legitimate users by ≈ 2 ms we can add 14 bits to the effective strength of a password, and we can add 24 bits at a cost of ≈ 2 s." [0] What is the validity of such methods of estimation when converted to memory-hard key stretching such as scrypt? Or more traditional hash-based key stretching such as bcrypt or PBKDF2? A discussion with the goal of ascertaining the added value of key stretching methods, described in bits of security, might be worthwhile for people creating encryption software. Nadim [0 ] https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-bonneau.pdf
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
