Thank you, that's interesting. Now, just a minor question about the influence of various variables for Scrypt.
Would halving N and doubling r reduce CPU consumption not weaken security excessively? I'm only asking because my webhost focuses on CPU operations. On Mon, Apr 28, 2014 at 5:47 PM, Colin Percival <[email protected]>wrote: > On 04/28/14 17:33, Ryan Carboni wrote: > > To my knowledge, SHA-3 uses a sponge function, allowing it to have > arbitrary length. > > > > Will there be a version of scrypt which replaces the Salsa stream cipher > and the > > use of SHA256 and replaces it with SHA-3? While I'm not sure of the die > area of > > SHA-3, it does require as much RAM to run as SHA-256 > > (https://eprint.iacr.org/2009/260.pdf), but that can be remedied by > > standardizing multi-kibibyte long outputs and using numerous iterations. > > That would weaken scrypt by a constant factor. You want to maximize > [software bandwidth]^2 / [hardware bandwidth] > and keccak has very high hardware bandwidth. > > A few more comments here: > https://news.ycombinator.com/item?id=7482532 > > -- > Colin Percival > Security Officer Emeritus, FreeBSD | The power to serve > Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid >
