Re: [Cfrg] scrypt password-based key derivation function

Håkon Hitland <haakon@likedan.net> Thu, 31 December 2015 21:59 UTC

Return-Path: <haakon@likedan.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE21E1A893F for <cfrg@ietfa.amsl.com>; Thu, 31 Dec 2015 13:59:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.299
X-Spam-Level:
X-Spam-Status: No, score=0.299 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CZxWwCMewwgf for <cfrg@ietfa.amsl.com>; Thu, 31 Dec 2015 13:58:59 -0800 (PST)
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 257861A8932 for <cfrg@irtf.org>; Thu, 31 Dec 2015 13:58:59 -0800 (PST)
Received: from mfilter26-d.gandi.net (mfilter26-d.gandi.net [217.70.178.154]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id 9306EC5A49 for <cfrg@irtf.org>; Thu, 31 Dec 2015 22:58:57 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter26-d.gandi.net
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter26-d.gandi.net (mfilter26-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id KUzgDaYfeDuJ for <cfrg@irtf.org>; Thu, 31 Dec 2015 22:58:56 +0100 (CET)
X-Originating-IP: 85.164.179.202
Received: from [10.0.0.6] (ti0152a400-1222.bb.online.no [85.164.179.202]) (Authenticated sender: haakon.out@likedan.net) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 2721AC5A53 for <cfrg@irtf.org>; Thu, 31 Dec 2015 22:58:55 +0100 (CET)
To: cfrg@irtf.org
From: =?UTF-8?Q?H=c3=a5kon_Hitland?= <haakon@likedan.net>
Message-ID: <5685A51E.5040204@likedan.net>
Date: Thu, 31 Dec 2015 22:58:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/NR_PG9_Wz5buck8wHbiRS4JC6k0>
Subject: Re: [Cfrg] scrypt password-based key derivation function
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2015 22:47:57 -0000

> Hiya,
>
> Just a heads-up that this is currently up for IESG approval
> on the January 7th telechat. If someone had a chance to take
> a peek in the meantime that'd be great as there were a few
> changes and clarifications done but hopefully nothing bad:-)
>
> Thanks,
> S.
>
> On 24/09/12 10:55, Simon Josefsson wrote:
>> All,
>>
>> Colin and I have published a draft describing Colin's scrypt key
>> derivation function. We would appreciate review of the document:
>>
>> http://tools.ietf.org/html/draft-josefsson-scrypt-kdf
>>
>> The input we are seeking here is primarily review of the cryptographic
>> aspects and correctness of the algorithm description, although all
>> comments and suggestions are appreciated.
>>
>> Thanks in advance,
>> /Simon
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg at irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>

Hi,

Would it be relevant to mention side-channel attacks in the security 
considerations section?

As I understand it, scrypt could disclose information through cache 
timing or memory access patterns if the attacker has sufficient access, 
compared to e.g. Catena and Argon2i which avoid data-dependent memory 
access.

Regards,
Håkon Hitland