Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
Bill Cox <waywardgeek@gmail.com> Fri, 12 February 2016 17:36 UTC
Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9BF31A870F for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2016 09:36:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWa9wVV79xD3 for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2016 09:36:41 -0800 (PST)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 773DF1A7030 for <cfrg@irtf.org>; Fri, 12 Feb 2016 09:36:41 -0800 (PST)
Received: by mail-ob0-x22e.google.com with SMTP id wb13so131938092obb.1 for <cfrg@irtf.org>; Fri, 12 Feb 2016 09:36:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=82Kacji1q15KwMW5YZGm7/uCvvbXRVsqUQ46I2FONPs=; b=bYaLk9/5SCzrJ/FzYbHDFwpKKGljEDbT4diF8XKmcAn/yua1qPlZw3b0M4vhDXU8BU RJ9nR0lRzJbnFOgcEH42blbOgCoJrEiHQMLU/oT3hSKqgDXIItZMObOXvmuYJsPQJKIY gnET2GjWnYrEgiubY7g39XzZ7lfuXqkJE5I1d6032bM05IBMzGHxvWJmsLA7sodaTBA7 yngpCnTziYuQ2o30XynnoWKqsAzeE5iUoDhKMYmBuDYVYvF9UmOQP7ittsTOEMxC0Mnl zRXwa2AaQgJB9oNLCP9kTzxRDI9ekZOpKvOlmAA92IRydAPW58NB0Hcf8JoC0Ff3bZjv EWvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=82Kacji1q15KwMW5YZGm7/uCvvbXRVsqUQ46I2FONPs=; b=A5phoRwrAwyrSLcbYAAGk0a+/x0S+XgJu1Q9fsfB0tuw+MPGTbI5lxYgGQeyvXC3es TQBuB3eWvWolOE4bRqGjprdQh6IZaYktlKDelcxGb1iowdV2Dm33RqrwGJRbKU4ghEJF wT/mVdwe+sEFoFlgCAWZWr8IZ36LMLS8sJcjFRCnLUqdFzyPLjmcvYImE+RqUf1FHcIb 7jwIRgPG2z/j6VQAWvEWAHlbXtqSUEjMQKdvdow23FyjK4Zg4q9/SCf/EAwyQQSy+18C NyYGoKiGWKjmPzfpn/dySWUswlSz/GBlRgQC01vDbHK2BQ2+V9q1gHXIHW9h2zj2lrmr pM4A==
X-Gm-Message-State: AG10YORadvuDbmkSZ6Y4gCBiLg6veHmUAN3IxthO+pMV9g/MgKPsZ3CHLX+D/I7oioDxf0BIvdMn7REMpVmP2Q==
MIME-Version: 1.0
X-Received: by 10.202.201.216 with SMTP id z207mr2231686oif.98.1455298600943; Fri, 12 Feb 2016 09:36:40 -0800 (PST)
Received: by 10.60.29.196 with HTTP; Fri, 12 Feb 2016 09:36:40 -0800 (PST)
In-Reply-To: <CAKDPBw_0g=wLTpCpDWut63UBsxq6wwuVSx8OT0Ke7GK6Kd-Xig@mail.gmail.com>
References: <56BE045F.4060103@ist.ac.at> <CAKDPBw_0g=wLTpCpDWut63UBsxq6wwuVSx8OT0Ke7GK6Kd-Xig@mail.gmail.com>
Date: Fri, 12 Feb 2016 09:36:40 -0800
Message-ID: <CAOLP8p4X4Xhm1Nix0DC7bfrjmmAK1YfYM7tZb=8tcY0P2GQE3A@mail.gmail.com>
From: Bill Cox <waywardgeek@gmail.com>
To: Paul Grubbs <pag225@cornell.edu>
Content-Type: multipart/alternative; boundary="001a11c182ae26c642052b961cdf"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/12kyOLoZ494nZtUmJvAVE7K8RaU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2016 17:36:42 -0000
This is really excellent work. We're still waiting I think, for an update to Argon2i to fix a significant TMTO issue, but Argon2d with one-pass will withstand the test of time, IMO. For near-term use, if I were using Argon2 (I prefer Yescrypt in most cases), I would stick to Argon2id, which offers some protection against certain cache-timing attacks, but still leaks meta-data such as whether or not the user who is authenticating has been seen before. It also is possible for an attacker to guess the password (with very much required computation*memory due to the data-independent part) without having access to the password hash, but instead just the salt and username. AFAIK, Argon2id has the same memory*time defense as Argon2d, so it seems like a no-brainer to use Argon2id rather than Argon2d, IMO. If the CFRG were to promote one single version of Argon2, I feel it should be Argon2id, given the continued attacks against iMHFs. In an attempt to use Argon2id in an actual application, I found that the low-memory hashing I was doing (it fit into L3 cache) was too slow. Argon2id seems fine for larger memory sizes. Scrypt (and Yescrypt) can easily be modified to do less computation per memory block with no known loss of security, which makes them both more suitable for low-memory applications. Bill
- [Cfrg] Memory-efficient evaluation of data-indepe… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Paul Grubbs
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox
- Re: [Cfrg] Memory-efficient evaluation of data-in… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox