On 11/16/12 17:40, Solar Designer wrote: > One curious aspect is that it includes a version with 3x interleave > (3 instances of scrypt are computed with inter-mixed instructions for > greater instruction-level parallelism). This confirms my gut feeling > that Salsa20 core does not contain sufficient parallelism for some > current CPUs.
BTW, taking advantage of CPU parallelism is useful, but not if it also allows attackers to take advantage of more parallelism. One of the topics I'm going to address in my passwords'12 talk is the choice of building blocks for scrypt... I'll post my slides here once I've written them. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
