# Pastebin 0D3xw8y7
09:26 <gmaxwell> fense only gets a 2.6x speedup. 
09:26 <gmaxwell> the best scheme I have so far looks something like, take users password, hash into 6 values to be hardened. copy those 6 values, and add 4 more static values with known hardenings. Then blind all 16 values and ask the host to harden each of them (which it can do in parallel). Now its unlikely for a dishonest outsourcer to get away without being caught but an attacker who doesn't need that de 
07:53 <gmaxwell> at least in the context where where the device requesting KDF doesn't (temporarily) know the trapdoor. 
07:52 <gmaxwell> but the obvious ideas I had for that don't work. 
07:52 <gmaxwell> like I have the host run the KDF N times on N different but related data... and verify the relation still holds on the result. 
07:51 <gmaxwell> sipa: I keep feeling like there should be some simple encoding we can do to make the sequential squaring KDF verifyable.