SRP verifier strength

Wed Apr 4 14:59:14 EST 2001

Tom,

Great work on filling in those tables.  Have you investigated the impact
of using g=2 versus other values (like g being the same size as the
modulus)?  Are the current numbers with g=2?  Would there be any way to
test with different math library implementations?

Tom

Tom Holroyd wrote:
> 
> On Tue, 3 Apr 2001, Tom Holroyd wrote:
> 
> > Measurement of SRP verifier strength against an offline dictionary attack.
> >
> > +------+----------+------+
> > | bits | avg_wps  | n    |
> > +------+----------+------+
> > |  512 | 2123.036 |   40 |
> > |  640 | 1588.509 |   40 |
> > |  768 | 1381.072 |   80 |
> > | 1024 | 1015.222 |   80 |
> > | 1026 |  947.602 | 1680 |
> > | 1280 |  742.186 |   40 |    md5crypt level
> > | 1536 |  576.117 |   40 |
> > | 2048 |  368.924 |   40 |
> > | 2049 |  357.929 | 1040 |
> > +------+----------+------+
> 
> Another datapoint (measured the same way as before):
> 
>   +------+----------+------+
>   | 4096 |  111.387 |   10 |
>   +------+----------+------+
>                 ~90             blowfish level
> 
> > For these rates, doubling the size of the prime increases the time to do
> > the dictionary search by an average factor of approximately 2.5.
> 
> It's apparent that this isn't exactly a power law, but the regression line
> now stands at about 2.6 (closer to 3 for just the large primes), and SRP
> with a 4096 bit prime is getting close to the level of OpenBSD Blowfish
> hashes.  It's not slow enough to be noticable on this machine, either,
> when used for authentication.  You still shouldn't set your passphrase to
> "green" though.  :-)
> 
> Dr. Tom Holroyd
> chmod 000 /

-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."