[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: scrypt ASICs - litecoin N, r, p settings - Re: Revisiting the SHA1 default password hash

Lorenzo M. Catucci wrote:
Just to add some context to Howard Chu's message from Sat, 25 Feb 2017,
I'd like to point out that the scrypt settings chosen for litecoin PoW,
which I think are the ones commercial mining hardware are optimized for, are
some orders of magnitude different than the ones recommended for user
authentication, and are not, in my humble opinion, a sufficient reason to
exclude the scrypt construct from consideration:

 - https://litecoin.info/Scrypt
    uses N = 1024, r = 1, p = 1
    which means using
       1024 * 1 * 1 * 128 = 128 KiBytes bytes of memory
    and doing
       2 * (1024 * 1) = 2 Ki hashing rounds

 - the traditional default values for the parameters are
   N = 16384, r = 8, p = 1 , which means using
       2^16 * 8 * 1 * 128 = 16 MiBytes of memory
   and doing
       32Ki hashing rounds

and these values can be customized (almost) at will to increase both the
computational effort and the memory footprint of the password hashing; e.g.
libsodium's crypto_pwhash_scryptsalsa208sha256 sets N = 2^20 in the
"{OPS,MEM}LIMIT_SENSITIVE" case, leading to a memory occupation of 1GiB and
an hashing rounds count of 2 * 2^20.

Requiring 1GB for a password hash will preclude using it on small devices, e.g. raspberry pi.

Even 16MB is excessive.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/