IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt

Dmitry Khovratovich <khovratovich@gmail.com> Fri, 14 July 2017 15:52 UTC

Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C51128961; Fri, 14 Jul 2017 08:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQ869B8as8zO; Fri, 14 Jul 2017 08:52:34 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A620127ABE; Fri, 14 Jul 2017 08:52:34 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id l21so27046747ywb.1; Fri, 14 Jul 2017 08:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8LzfEQVPNlqay360NtaKavT5FsjKv0lneeREZiXNiBM=; b=GyekS0RvZf9//RSPDTQQ5iTf0+TtaWvI+LHruwX8R6ggnHvhPo1QvlXWBX/rP+eVbM 26RPMn+Djkzhjc9mSWVby7ve5OK00/TBvFEapd2hOf79Xi0L0u02+GtRTd0gkXG/1xlS ckACHi34U5W/Wos2H921X0uEa14wgkTk23j/hNFkY+ASg0Pn+2Ff6WpthFRVNfQc4FkD R/FBfAbonNt3OztGzc9AUeq3S20ouPQWtidQtU/JeqL0GiQkBNRyNJL98q2InFvArlze yScRkZYVbkYs2Yzc0NWW1nnzO5BHtq69yYlrigTJkMTcOYpuYBbYFYTqZGRGBomifSSs OI1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8LzfEQVPNlqay360NtaKavT5FsjKv0lneeREZiXNiBM=; b=oMnnpS+yz8VfTaDbdlo+6NcxqaOwZZBCboMl/4EfZBgCyWuvdmKQezJmTvYsLKLM+7 pO/bLg6npJdUYR1WhGFgtdfCXllnaCJPs9HNZfPbicFSZ158/1gO8uW+3OtBnyIycE6j ZzlETBdCNsscDrMJ1ANZHDSkW+v15KLmRPMSUPJTMvUZcJDvgljuj6CE75xRDMiq35T0 AWhN2/JMdibyfVveflN1FisgfQqE1FvD+YKnnKqYBtf0+OyQWT5XAqhjFtuOoJFFJnt0 zPTP60wTbScdrdajiM/XOlT9WEHXhETQ9TWNM9mnN2VDfP0N9XCNmFuKiucaPqcizP13 N8gw==
X-Gm-Message-State: AIVw110NO0zTx3Qm+iQWYctdwWgHemBx6NHpn0iLqh5MGgzBY3LG6bLS DF5HwwYP3PaN2/ea2DyFxbgeGzYrNw==
X-Received: by 10.129.200.7 with SMTP id n7mr7064427ywi.115.1500047553718; Fri, 14 Jul 2017 08:52:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.83.17.138 with HTTP; Fri, 14 Jul 2017 08:52:18 -0700 (PDT)
In-Reply-To: <D5815D6C.97F14%kenny.paterson@rhul.ac.uk>
References: <149061159741.30566.11599293166376872082@ietfa.amsl.com> <CALW8-7+BL5dLJiTh_yn_OD8pNNwLvEz5ZPhqK=-TfUH3xvohBg@mail.gmail.com> <D56853D6.96722%kenny.paterson@rhul.ac.uk> <D5815D6C.97F14%kenny.paterson@rhul.ac.uk>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Fri, 14 Jul 2017 17:52:18 +0200
Message-ID: <CALW8-7LLP=xnCWuGfyvHiH4P39zKjJay4_UEtst-OuzoByT_Uw@mail.gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Cc: "draft-irtf-cfrg-argon2@ietf.org" <draft-irtf-cfrg-argon2@ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>
Content-Type: multipart/alternative; boundary="089e0821eb4095f16f0554490900"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9iz6Wll2-hwiu9gRhoMgT_YWhNw>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 15:52:37 -0000

Dear Russ, Stanislav, Jeremiah,

thank you a lot for the efforts! The reviews make the document much better.
We are now working on integrating the comments into the draft, hopefully
finished next week.

We'll publish a document where every comment is accompanied with a note.

Best regards,
Dmitry, Alex

On Tue, Jul 4, 2017 at 4:06 PM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk>
wrote:

> Dear Argon2 authors,
>
>
> You will have seen the two recent CFRG review panel reviews for
> draft-irtf-cfrg-argon2-02.txt:
>
> https://www.ietf.org/mail-archive/web/cfrg/current/msg09199.html
>
> https://www.ietf.org/mail-archive/web/cfrg/current/msg09195.html
>
>
> - thanks to Russ Housley and Stanislav Smyshlyaev for preparing these.
>
> Please would you take these reviews into account when preparing the next
> version of your draft? It would helpful if you would post a response
> explaining how you have addressed the comments when you are ready.
>
> (Note also that there was a cutoff for new drafts this Monday past because
> of the upcoming IETF meeting.)
>
> Regards
>
> Kenny (for the chairs)
>
>
> On 15/06/2017 15:16, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> wrote:
>
> >Dear CFRG,
> >
> >Dmitry Khovratovich kindly presented the latest draft for Argon2 at the
> >interim CFRG meeting in Paris. For those of you who could not attend, his
> >slides can be found here:
> >
> >https://www.ietf.org/proceedings/interim-2017-cfrg-
> 01/slides/slides-interi
> >m
> >-2017-cfrg-01-sessa-argon2-00.pdf
> >
> >
> >My sense from the constructive discussion that took place after Dmitry's
> >talk in Paris was that there are now no remaining serious objections to
> >the recommended parameters in the latest version of the draft:
> >
> >https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/
> >
> >
> >If there are further substantive technical comments from the CFRG
> >membership, the chairs would be grateful if they could be brought to the
> >list in the next few days.
> >
> >Assuming we have indeed reached consensus, then we will be in a position
> >to move to last call for this ID.
> >
> >Thanks,
> >
> >Kenny (for the chairs)
> >
> >
> >On 27/03/2017 11:51, "Cfrg on behalf of Dmitry Khovratovich"
> ><cfrg-bounces@irtf.org on behalf of khovratovich@gmail.com> wrote:
> >
> >>Some comments on a new draft:VariantsArgon2 fills M bytes of memory in T
> >>iterations over
> >> it, with M and T being the parameters supplied to Argon2 and determining
> >>its performance. Speed on a typical server is linear in the MT product.
> >>
> >>The Argon2 family has three variants: I, D, and
> >> ID, which differ in the way of reusing memory that has been filled. The
> >>I variant makes queries with predictable addresses, whereas D determines
> >>the addresses on the fly depending on the current state (and thus the
> >>password). The ID variant follows I for the
> >> first half of the memory used and D for the rest and while overwriting.
> >>Side-channelsThe side-channel attacks, which are of still rising
> >> concern in the security community, are applicable to the D variant as
> >>the memory addresses and thus information about the password or other
> >>secret inputs can be determined from the timing leaks. The I variant is
> >>completely invulnerable to this attack, and
> >> the ID variant provides only a constant factor improvement for the
> >>attacker.
> >>Hardware and tradeoffsThe M and T parameters determine the cost of
> >>bruteforcing
> >> passwords on custom hardware, which is proportional to M2T
> >> if we follow the traditional time-area product metric. The time-memory
> >>tradeoff analysis [2] shows that the bruteforce cost for the I variant
> >>can be changed to M2T/Q(M,T)
> >> for some quality function Q. For instance, Q(230,1)=5,
> >> Q(230,4)=2.5.
> >>
> >>The D variant is invulnerable to the approach [2],
> >> and the savings factor in the ID variant is upper bounded by factor 2
> >>for all parameters.
> >>Defender tradeoff and ultimate
> >> recommendationsIn public and private conversations with security
> >> architects in the industry we learned that the bottleneck in a system
> >>employing the password-hashing function is the function latency rather
> >>than memory costs. We then assume that a rational defender would like to
> >>maximize the bruteforce costs for the attacker
> >> equipped with a list of hashes, salts, and timing information, for fixed
> >>computing time on the
> >> defender’s machine.  In this assumption the defender keeps the MT
> >>product constant and maximizes the losses M/Q(M,T).
> >> The authors of [2] provides us with attack cost estimates for constant
> >>MT = 228,230,232
> >> (measured in iteration-bytes)
> >>
> >>We ultimately recommend the ID variant with T=1 and maximum M as a
> >>default setting for all environments, which is secure
> >> against side-channel attacks and prohibit adversarial advantage on
> >>dedicated bruteforce hardware.
> >>
> >>
> >>References[1]
> >>“Efficiently Computing Data-Independent
> >> Memory-Hard Functions” <http://eprint.iacr.org/2016/115.pdf>
> >>[2]
> >>“Towards Practical Attacks on
> >> Argon2i and Balloon Hashing”  <http://eprint.iacr.org/2016/759.pdf>
> >>
> >>
> >>
> >>
> >>
> >>On Mon, Mar 27, 2017 at 12:46 PM, <internet-drafts@ietf.org> wrote:
> >>
> >>
> >>A New Internet-Draft is available from the on-line Internet-Drafts
> >>directories.
> >>This draft is a work item of the Crypto Forum of the IETF.
> >>
> >>        Title           : The memory-hard Argon2 password hash and
> >>proof-of-work function
> >>        Authors         : Alex Biryukov
> >>                          Daniel Dinu
> >>                          Dmitry Khovratovich
> >>                          Simon Josefsson
> >>        Filename        : draft-irtf-cfrg-argon2-02.txt
> >>        Pages           : 26
> >>        Date            : 2017-03-27
> >>
> >>Abstract:
> >>   This document describes the Argon2 memory-hard function for password
> >>   hashing and proof-of-work applications.  We provide an implementer
> >>   oriented description together with sample code and test vectors.  The
> >>   purpose is to simplify adoption of Argon2 for Internet protocols.
> >>
> >>
> >>The IETF datatracker status page for this draft is:
> >>https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/
> >>
> >>There are also htmlized versions available at:
> >>https://tools.ietf.org/html/draft-irtf-cfrg-argon2-02
> >>https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-02
> >>
> >>A diff from the previous version is available at:
> >>https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-argon2-02
> >>
> >>
> >>Please note that it may take a couple of minutes from the time of
> >>submission
> >>until the htmlized version and diff are available at
> >>tools.ietf.org <http://tools.ietf.org>.
> >>
> >>Internet-Drafts are also available by anonymous FTP at:
> >>ftp://ftp.ietf.org/internet-drafts/
> >>
> >>_______________________________________________
> >>Cfrg mailing list
> >>Cfrg@irtf.org
> >>https://www.irtf.org/mailman/listinfo/cfrg
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>--
> >>Best regards,
> >>Dmitry Khovratovich
> >>
> >>
> >
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>



-- 
Best regards,
Dmitry Khovratovich

v2.23.0 | Report a Bug | By Email