Re: [Cfrg] Balloon-Hashing or Argon2i.
krzysztof pietrzak <krzpie@gmail.com> Sun, 14 August 2016 17:36 UTC
Return-Path: <krzpie@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B630A12D775 for <cfrg@ietfa.amsl.com>; Sun, 14 Aug 2016 10:36:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y--LcEjRD2Jk for <cfrg@ietfa.amsl.com>; Sun, 14 Aug 2016 10:36:17 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9652F12D771 for <cfrg@irtf.org>; Sun, 14 Aug 2016 10:36:16 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id i5so65328223wmg.0 for <cfrg@irtf.org>; Sun, 14 Aug 2016 10:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=FsWx+y/RlQOFPIR8/5/Uey6dkdwqYoMuXyz3fXOE4dw=; b=R6edsEZ6tnTVL3OMAJaZRdqemc6JMfYGS+fAAHM4yKNZxvkfOD4vEAVXh0CZt9jG4P kVy5kYQFXPBsmUD1QOKSpXsqDwA4yOMXwDtgbCPh+XQDG3FKYQn1mKyDU/aI1RjbaUYq amfoLKqp8JOImvSG8xijCPo5qvuqIDeuEfFaG6rK51TLoa05/oXimIUfROKrNet64HLZ 3UjIG3YYsMmWKv31/v+iuOHCdedtVWLflmf64f4ODzY7BkS9K79E0NsApIVqx6hIoxtW 9KBtiov81aghNwwZEpoU8gjq6zCsnQz6HyGe+/3W6ElOAXzERL7UHdeJETn6mN3nGl0L YTkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=FsWx+y/RlQOFPIR8/5/Uey6dkdwqYoMuXyz3fXOE4dw=; b=CdpEAyrg7IuYA62HvgiuBiv4nIhnYBbBQ6zJVseBlhv3By5rsDFfezT2OHyBcIbMia JOV5rgXljNkDcwXskG6w11XtgvLy2wcjlzA1c4y7Ts26cP1l1mEyEOmSzQLSmllccqx2 PGqmy73f8es6KQkb9vgOm78gDfDQJ51fIHH9R20SpqicFz6KuFZv9NTs6HxmFEvMQKbf RAYW+ZZF2Y8m1+TW5XFevJWaB0PXdpWECkadsyNnnpRw9WJYw7AQb9JG6mQ/a2g8lClf BKmsv+1sq+f45w0PnqkOQVygYUylWmCLV6unAi84yGkPRW9RCmvl2um6qrrsg0o0f/3S oadA==
X-Gm-Message-State: AEkoout4BXwegD2lymwLQD16sVIy5sxk2Q+5STQb55pGJUbAJQoOcmpzKmRxTT8JWmpjTfnkRf8mYfMfPdxULw==
X-Received: by 10.25.162.17 with SMTP id l17mr4136994lfe.125.1471196174544; Sun, 14 Aug 2016 10:36:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.10.168 with HTTP; Sun, 14 Aug 2016 10:36:13 -0700 (PDT)
From: krzysztof pietrzak <krzpie@gmail.com>
Date: Sun, 14 Aug 2016 19:36:13 +0200
Message-ID: <CAMgMiWcWts5LWsLD2bW8s1g1M0ZkRRc_PO-z2iE-iEoeTMAFRA@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5NptQtn5kvCAGaCDcZ4NkgfmLvk>
Subject: Re: [Cfrg] Balloon-Hashing or Argon2i.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2016 17:43:25 -0000
I'm following the discussion going on here with some astonishment. The Argon2i iMHF is asymptotically broken, and whether an asymptotic attack is practical with current parameters/hardware should only be of interest if a scheme is already widely deployed and we have to live with it, but pushing for standardisation of a mode that is known to have structural deficiencies is -- in my opinion -- just irresponsible and could hurt our field. This is not to say that the Alwen-Blocki attack [AB16] https://eprint.iacr.org/2016/115.pdf is not already practical, the arguments brought forward against the practicality of the attack have been convincingly refuted in [AB16b] https://eprint.iacr.org/2016/759.pdf . The fact that Argon2i has become a moving target changing its specification constantly doesn't look good either. Bill Cox writes "To summarize what I think should happen here: I recommend continuing with any standardization effort that would have gone forward without the published TMTO attacks that claim to save power while recomputing values many times. Intuitively, it is simply less power to store and reuse results than recomputing them, which turns out to be true in real ASIC implementations." If this was true (i.e., we only must consider adversaries who don't recompute values), then constructing secure iMHFs with optimal parallel cumulative memory complexity \Omega(n^2) would be a triviality (e.g. make 2 passes over memory updating x[i]=f(x[i],x[i-1])). The entire point of [AB16b] is showing that this intuition is also wrong for the [AB16] attacks. At this point it seems all the iMHFs submitted to the password hashing competition are broken, which maybe is not too surprising given that the call for submissions didn't even specify a formal security notion the mode has to satisfy, a property like "Speed-up or other efficiency improvement (e.g., in terms of area-time product per password tested) of cracking-optimized ASIC, FPGA, and GPU implementations (checking multiple sets of inputs in parallel) compared to CPU implementations intended for password validation should be minimal." is not something cryptographers can work with. To me the competition looked more like a beauty contest, where due to lack of a meaningful security notion the submissions were focusing on secondary properties and features, rather than on provable security guarantees their modes provide. Only in [AS15] this desirability from the call has been captured by a formal notion -- cumulative parallel memory-complexity (cpmc) -- a good MHF should (1) have cpmc close to n^2 (so it is memory hard) and (2) its sequential space-time complexity (sstc) should be close to its (cpmc), so paralellism and armortization doesn't make the evaluation much cheaper. With a formal security notion at hand, there has been a lot of progress in understanding MHFs in the last year. For data independent MHFs we now know that already the first proposed MHF -- Scrypt (or rather RoMix) -- has optimal \Omega(n^2) cpmc (assuming the underlying building block is a random function, an assumption like that is necessary as we can't prove superlinear circuit lower bounds). This result has been announced recently https://pariscryptoday.github.io/second.html#LR The situation for data independent MHFs (iMHF) is even more interesting: an iMHF has high cpmc if and only if the underlying evaluation graph is depth-robust (also this result is not published yet, it has been announced https://calendar.csail.mit.edu/events/171401 and a manuscript exists). Thanks to this connection, we understand quite well how the graph underlying a good iMHF must look like, and already have constructions with cpmc \Omega(n^2/log(n)) (which is within loglog(n) of the theoretical maximum). This construction is non-constructive (in the sense that one has to sample a graph at random, and this graph will constitute a good iMHF with overwhelming probability). We also have extremely simple and efficient explicit constructions, but the proven cpmc is a log(n) factor off the optimum (it is optimal modulo a combinatorial conjecture which we believe to hold). I guess it is in everyones interest to come up with a secure proposal for MHFs, and simply ignoring all the cryptographic knowledge we now have on how to (not) construct MHFs is just ignorant and dangerous. Krzysztof > Subject: Re: [Cfrg] Balloon-Hashing or Argon2i. > Date: Thu, 11 Aug 2016 09:20:28 -0700 > From: Bill Cox <waywardgeek@gmail.com> > To: Dmitry Khovratovich <khovratovich@gmail.com> > CC: cfrg@irtf.org <cfrg@irtf.org> > > > > To summarize what I think should happen here: I recommend continuing > with any standardization effort that would have gone forward without the > published TMTO attacks that claim to save power while recomputing values > many times. Intuitively, it is simply less power to store and reuse > results than recomputing them, which turns out to be true in real ASIC > implementations.
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Joel Alwen
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Blocki, Jeremiah Martin
- Re: [Cfrg] Balloon-Hashing or Argon2i. krzysztof pietrzak
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Stefano Tessaro
- Re: [Cfrg] Balloon-Hashing or Argon2i. Jean-Philippe Aumasson
- Re: [Cfrg] Balloon-Hashing or Argon2i. Andy Lutomirski
- Re: [Cfrg] Balloon-Hashing or Argon2i. krzysztof pietrzak
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich
- Re: [Cfrg] Balloon-Hashing or Argon2i. Paul Grubbs
- [Cfrg] Balloon-Hashing or Argon2i. Joel Alwen
- Re: [Cfrg] Balloon-Hashing or Argon2i. Henry Corrigan-Gibbs
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich
- Re: [Cfrg] Balloon-Hashing or Argon2i. Henry Corrigan-Gibbs
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich