On 09/06/11 20:35, Solar Designer wrote:
Right. We also know that it is very GPU-friendly, so if we expect attackers with GPUs but maybe not with custom hardware (FPGA, ASIC), we could want to stay away from SHA-2 family functions and use something like Blowfish (Eksblowfish, bcrypt) in the KDF instead.
Blowfish is less friendly to brute force than SHA-2, but there are functions specifically designed to be brute-force-unfriendly. There are suggestions in http://www.schneier.com/paper-low-entropy.html about how to build a function to iterate which is unfriendly to brute forcers; see also Microsoft's "Penny Black" research eg
http://research.microsoft.com/apps/pubs/default.aspx?id=54395 -- __ \/ o\ Paul Crowley, p...@ciphergoth.org /\__/ http://www.ciphergoth.org/ _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography