IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document

Stefano Tessaro <tessaro@cs.ucsb.edu> Tue, 31 May 2016 17:07 UTC

Return-Path: <stefano.tessaro@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A0FB12D855 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 10:07:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEKZae400VRv for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 10:07:43 -0700 (PDT)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D84CC12D851 for <cfrg@irtf.org>; Tue, 31 May 2016 10:07:42 -0700 (PDT)
Received: by mail-vk0-x233.google.com with SMTP id d127so109711755vkh.2 for <cfrg@irtf.org>; Tue, 31 May 2016 10:07:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=2gosQtTKr9RBK8GUypjXX5Cf0xAeNSUOlc/PFii4+Q4=; b=cDfZEECVOUwX3MRph3EUrveqw2tFAcldM5DBDho/pUmCU2vvnGEMnBx6iByO3h32Zl CNvjaV/7fF9LR2sJyFnGY0IycCQ+mvb4yZMJfvILByL2o2a9Pz47JX/rlxV62u+OkfGu OY4CHXFXAc9QpT6bqMcvSLofe37QNwE7q7xEVO2iCmw1NCaWcYZ3G7cF3IyErxi7sOxA QUeEf80A+q6zjea7yUhpNsE4Lxmz2sCXNVho7xkzHiAroaJBBUK+nPOOvcrXSET3Ytry 5d05sp0ds+pk4UqJqUNC0yZEiGJmSzidQpRgD4uNeNLM+T3h/PitQuvQKSlx9SwK8ogi qROA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=2gosQtTKr9RBK8GUypjXX5Cf0xAeNSUOlc/PFii4+Q4=; b=g6tOiht15KDd4LZuENo43B31Sf2N+mT3M2FWCXHxZ68L1qkYP/WpjQqjfEe11bbqhx 9S4cBZvib18zxBaU9rkXrf3bzfHQ5hRGumd6rWUdFJDic99tZGjqPBHNVVM43Z4NBh1i TRFIR5uZGKwRloWOpsjCU9nKEnUKMsaZEmMx8MLjTVMPKAL2TE7YryWkzHkwsGztSBna FJfQk3vI1CXBApsd7owDoCg5b0p6O+JMglKXELOVqd6LFBIM11ofeanOF1xpURwDayNP 0K1w6j4hr+Cd4XWezL9A94Ba8m/GOxx4Ym87sPDotPSOtt9YIgU0egzGeGRfTxtJ6mB5 yZ1A==
X-Gm-Message-State: ALyK8tLzsXAQNdYJux2mRwPtm30nBOba+2MTfmrQcyuOLB8MTC94yAPX+0yTF2P5M7Hi2I+p+gMhFajSDhazNA==
MIME-Version: 1.0
X-Received: by 10.176.64.73 with SMTP id h67mr17830615uad.40.1464714461857; Tue, 31 May 2016 10:07:41 -0700 (PDT)
Sender: stefano.tessaro@gmail.com
Received: by 10.159.34.228 with HTTP; Tue, 31 May 2016 10:07:41 -0700 (PDT)
In-Reply-To: <CAGiyFdfEjQ3H6HJxSqn1-cmk3fySWepNso1264nt24z0kMg7ig@mail.gmail.com>
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com> <57460090.9040901@ist.ac.at> <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com> <574D60C5.80309@ist.ac.at> <CAGiyFdfEjQ3H6HJxSqn1-cmk3fySWepNso1264nt24z0kMg7ig@mail.gmail.com>
Date: Tue, 31 May 2016 10:07:41 -0700
X-Google-Sender-Auth: jP0k-SL64wmcYng8fSO2nG-k3DQ
Message-ID: <CAEB_pdccDaATC+7kXD2+vX6TVQ1Rt4Z29uMTb5=vYwT_us4V7g@mail.gmail.com>
From: Stefano Tessaro <tessaro@cs.ucsb.edu>
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/5WsLYd1MrOHuXji565Rx7RFME-Y>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: Alex Biryukov - UNI <alex.biryukov@uni.lu>, cfrg@irtf.org
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 17:07:45 -0000

This may be obvious to many, but a point that I believe is not
stressed enough in the on-going discussion is that the AB16 attack
shows a substantial *asymptotic* improvement over what could be
expected from a memory-hard function.

In contrast, comparisons here are focusing on the *concrete*
complexity of the AB16 attack for actual real-world parameters,
compared with the best known attacks against Argon2i. (The latter
attacks do not seem to have an obvious asymptotic generalization
outperforming the AB16 attack, but I am happy to be corrected on
this.)

Regardless of which attack performs best, asymptotic breaks typically
tell us more about a construction than just a number.

Indeed, constants and log-factors are likely to be improved in future
works, and the real question seems to be how much value one should put
in asymptotic attacks and how much Argon2i (or any other design
affected by the attacks) is resilient to potential future improvements
of AB16.

I am not advocating for any particular design. As a passive observer,
I just feel the attacks should be compared more carefully.

Stefano

On Tue, May 31, 2016 at 3:44 AM, Jean-Philippe Aumasson
<jeanphilippe.aumasson@gmail.com> wrote:
>
> I haven't read the AB16 paper, but I observe that
>
> 1) Argon2 designers say "the AB16 attack is less efficient than known
> attacks"
>
> 2) Joel says "the AB16 attack is more efficient than known attacks"
>
> Are you guys both right for different notions of "efficient", or is one of
> your analyses wrong?
>
> Specifically: Joel, is there something that strikes you as incorrect in the
> analysis in 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf?
>
>
>
> On Tue, May 31, 2016 at 12:00 PM Joel Alwen <jalwen@ist.ac.at> wrote:
>>
>> > Furthermore, my understanding is that the Alwen-Blocki attack on
>> > Argon2i isn't more efficient than attacks already documented, as
>> > discussed in 5.6 in
>> > https://www.cryptolux.org/images/0/0d/Argon2.pdf. So I don't see
>> > these new results as a showstopper.
>>
>> Actually the Alwen-Blocki is more efficient then other known attacks
>> both in terms of asymptotic and exact constants for interesting
>> parameter ranges. This is already true for the worst case analysis in
>> the paper. (See my earlier email in this thread for and references on
>> this.) Moreover there is good reason to believe that it will behave far
>> better in practice and that it can also be further improved.
>>
>> To be clear: I am neither advocating for nor against Argon2i (or any
>> other algorithm). My intention at this point is to clarify what is
>> actually known about Argon2i.
>>
>>
>> As to why I responded positively to Kenny's question about having a new
>> PHC *in an ideal world*; the reason is that recent results both in terms
>> of attacks and security proofs all point towards a new desirable
>> property of an iMHF. That is the underlying DAG of the iMHF should have
>> a specific combinatoric property (called depth-robustness). Not only is
>> being depth-robust necessary to avoid the AB16 attack, it also allows us
>> to make provable security type statements. However constructing the most
>> efficient & simple such graphs is not a trivial task, especially not
>> ones which result in the strongest possible provable security
>> statements. As such a, concerted effort to produce the best such graph
>> combined with other properties we have learned about in the previous PHC
>> would likely result in a significantly improved iMHF compared to
>> everything we currently have available. Of course we may not want to
>> wait for this, nor spend the energy on it. My reasoning and response
>> were mindful of the "in an ideal world" part of the question.
>>
>> - joel
>>
>>  On Wed, May 25, 2016 at 9:44 PM Joel Alwen <jalwen@ist.ac.at
>> > <mailto:jalwen@ist.ac.at>> wrote:
>> >
>> >
>> >> 3. The best attacks on Argon2, published in the original design
>> >> document in early 2015, have factor 1.3 for Argon2d and factor 3
>> >> for Argon2i.
>> >>
>> >> 4. The best attack found by Alwen and Blocki has factor 2 for
>> >> Argon2i.
>> >>
>> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack
>> >>  is upper bounded by (M^{1/4})/36, where M is the number of
>> >> kilobytes used by Argon2i. Thus the attack has factor 2 with
>> >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
>> >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
>> >
>> > I believe the results of Alwen-Blocki (AB16) actually show that at
>> > least 6 passes over memory are required for the above suggested
>> > parameters. - See Corollary 5.6 in [1] - See Figure 1(a) in [1] and
>> > paragraph titled "Parameter Optimization"
>> >
>> > [1] https://eprint.iacr.org/2016/115
>> >
>> > Moreover, I think it important to note that the analysis of the
>> > attack complexity in [1] is very "worst case" in several ways and
>> > that this leaves room for significantly improvements in practice.
>> > And of course the analysis was not optimized for concrete parameters
>> > such as those mentioned above.
>> >
>> > Basically I think there are several good reasons to believe that 6
>> > passes over memory are also not sufficient to avoid the attack.
>> >
>> > - Joel
>> >
>> >
>> >
>> >
>> > On 05/21/2016 04:38 AM, Dmitry Khovratovich wrote:
>> >> Some clarifications due to the increased attention to the paper by
>> >>  Alwen and Blocki, which has been presented at the recent Eurocrypt
>> >>  CFRG meeting.
>> >>
>> >> 1. One of security parameters of memory-hard password hashing
>> >> functions is how much an ASIC attacker can reduce the area-time
>> >> product (AT) of a password cracker implemented on ASIC. The AT is
>> >> conjectured to be proportional to the amortized cracking cost per
>> >> password.
>> >>
>> >> 2. The memory-hard functions with input-independent memory access
>> >> (such as Argon2i) have been known for its relatively larger
>> >> AT-reduction factor compared to functions with input-dependent
>> >> memory access (such as Argon2d). To mitigate this, the minimum of
>> >> 3 passes over memory for Argon2i was set.
>> >>
>> >> 3. The best attacks on Argon2, published in the original design
>> >> document in early 2015, have factor 1.3 for Argon2d and factor 3
>> >> for Argon2i.
>> >>
>> >> 4. The best attack found by Alwen and Blocki has factor 2 for
>> >> Argon2i.
>> >>
>> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack
>> >>  is upper bounded by (M^{1/4})/36, where M is the number of
>> >> kilobytes used by Argon2i. Thus the attack has factor 2 with
>> >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
>> >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
>> >>
>> >> Best regards, Argon2 team
>> >>
>> >> On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich
>> >> <khovratovich@gmail.com <mailto:khovratovich@gmail.com>
>> > <mailto:khovratovich@gmail.com <mailto:khovratovich@gmail.com>>>
>> > wrote:
>> >>
>> >> Dear all,
>> >>
>> >> as explained in a recent email
>> >> http://article.gmane.org/gmane.comp.security.phc/3606 , we are
>> >> fully aware of the analysis of Argon2i made by Corrigan-Gibbs et
>> >> al. , we know how to mitigate the demonstrated effect, and have
>> >> already made some benchmarks on the patch.
>> >>
>> >> Soon after the Crypto deadline (Feb-9) we will develop a new
>> >> release including code, rationale, and test vectors.
>> >>
>> >> -- Best regards, the Argon2 team.
>> >>
>> >>
>> >>
>> >>
>> >> -- Best regards, Dmitry Khovratovich
>> >>
>> >>
>> >> _______________________________________________ Cfrg mailing list
>> >> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>> > https://www.irtf.org/mailman/listinfo/cfrg
>> >>
>> >
>> -
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>



-- 
Stefano Tessaro
Assistant Professor of Computer Science
University of California, Santa Barbara
http://cs.ucsb.edu/~tessaro/

v2.23.0 | Report a Bug | By Email