Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt
Dmitry Khovratovich <khovratovich@gmail.com> Fri, 14 July 2017 15:52 UTC
Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C51128961; Fri, 14 Jul 2017 08:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQ869B8as8zO; Fri, 14 Jul 2017 08:52:34 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A620127ABE; Fri, 14 Jul 2017 08:52:34 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id l21so27046747ywb.1; Fri, 14 Jul 2017 08:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8LzfEQVPNlqay360NtaKavT5FsjKv0lneeREZiXNiBM=; b=GyekS0RvZf9//RSPDTQQ5iTf0+TtaWvI+LHruwX8R6ggnHvhPo1QvlXWBX/rP+eVbM 26RPMn+Djkzhjc9mSWVby7ve5OK00/TBvFEapd2hOf79Xi0L0u02+GtRTd0gkXG/1xlS ckACHi34U5W/Wos2H921X0uEa14wgkTk23j/hNFkY+ASg0Pn+2Ff6WpthFRVNfQc4FkD R/FBfAbonNt3OztGzc9AUeq3S20ouPQWtidQtU/JeqL0GiQkBNRyNJL98q2InFvArlze yScRkZYVbkYs2Yzc0NWW1nnzO5BHtq69yYlrigTJkMTcOYpuYBbYFYTqZGRGBomifSSs OI1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8LzfEQVPNlqay360NtaKavT5FsjKv0lneeREZiXNiBM=; b=oMnnpS+yz8VfTaDbdlo+6NcxqaOwZZBCboMl/4EfZBgCyWuvdmKQezJmTvYsLKLM+7 pO/bLg6npJdUYR1WhGFgtdfCXllnaCJPs9HNZfPbicFSZ158/1gO8uW+3OtBnyIycE6j ZzlETBdCNsscDrMJ1ANZHDSkW+v15KLmRPMSUPJTMvUZcJDvgljuj6CE75xRDMiq35T0 AWhN2/JMdibyfVveflN1FisgfQqE1FvD+YKnnKqYBtf0+OyQWT5XAqhjFtuOoJFFJnt0 zPTP60wTbScdrdajiM/XOlT9WEHXhETQ9TWNM9mnN2VDfP0N9XCNmFuKiucaPqcizP13 N8gw==
X-Gm-Message-State: AIVw110NO0zTx3Qm+iQWYctdwWgHemBx6NHpn0iLqh5MGgzBY3LG6bLS DF5HwwYP3PaN2/ea2DyFxbgeGzYrNw==
X-Received: by 10.129.200.7 with SMTP id n7mr7064427ywi.115.1500047553718; Fri, 14 Jul 2017 08:52:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.83.17.138 with HTTP; Fri, 14 Jul 2017 08:52:18 -0700 (PDT)
In-Reply-To: <D5815D6C.97F14%kenny.paterson@rhul.ac.uk>
References: <149061159741.30566.11599293166376872082@ietfa.amsl.com> <CALW8-7+BL5dLJiTh_yn_OD8pNNwLvEz5ZPhqK=-TfUH3xvohBg@mail.gmail.com> <D56853D6.96722%kenny.paterson@rhul.ac.uk> <D5815D6C.97F14%kenny.paterson@rhul.ac.uk>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Fri, 14 Jul 2017 17:52:18 +0200
Message-ID: <CALW8-7LLP=xnCWuGfyvHiH4P39zKjJay4_UEtst-OuzoByT_Uw@mail.gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Cc: "draft-irtf-cfrg-argon2@ietf.org" <draft-irtf-cfrg-argon2@ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>
Content-Type: multipart/alternative; boundary="089e0821eb4095f16f0554490900"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9iz6Wll2-hwiu9gRhoMgT_YWhNw>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 15:52:37 -0000
Dear Russ, Stanislav, Jeremiah, thank you a lot for the efforts! The reviews make the document much better. We are now working on integrating the comments into the draft, hopefully finished next week. We'll publish a document where every comment is accompanied with a note. Best regards, Dmitry, Alex On Tue, Jul 4, 2017 at 4:06 PM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote: > Dear Argon2 authors, > > > You will have seen the two recent CFRG review panel reviews for > draft-irtf-cfrg-argon2-02.txt: > > https://www.ietf.org/mail-archive/web/cfrg/current/msg09199.html > > https://www.ietf.org/mail-archive/web/cfrg/current/msg09195.html > > > - thanks to Russ Housley and Stanislav Smyshlyaev for preparing these. > > Please would you take these reviews into account when preparing the next > version of your draft? It would helpful if you would post a response > explaining how you have addressed the comments when you are ready. > > (Note also that there was a cutoff for new drafts this Monday past because > of the upcoming IETF meeting.) > > Regards > > Kenny (for the chairs) > > > On 15/06/2017 15:16, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> wrote: > > >Dear CFRG, > > > >Dmitry Khovratovich kindly presented the latest draft for Argon2 at the > >interim CFRG meeting in Paris. For those of you who could not attend, his > >slides can be found here: > > > >https://www.ietf.org/proceedings/interim-2017-cfrg- > 01/slides/slides-interi > >m > >-2017-cfrg-01-sessa-argon2-00.pdf > > > > > >My sense from the constructive discussion that took place after Dmitry's > >talk in Paris was that there are now no remaining serious objections to > >the recommended parameters in the latest version of the draft: > > > >https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/ > > > > > >If there are further substantive technical comments from the CFRG > >membership, the chairs would be grateful if they could be brought to the > >list in the next few days. > > > >Assuming we have indeed reached consensus, then we will be in a position > >to move to last call for this ID. > > > >Thanks, > > > >Kenny (for the chairs) > > > > > >On 27/03/2017 11:51, "Cfrg on behalf of Dmitry Khovratovich" > ><cfrg-bounces@irtf.org on behalf of khovratovich@gmail.com> wrote: > > > >>Some comments on a new draft:VariantsArgon2 fills M bytes of memory in T > >>iterations over > >> it, with M and T being the parameters supplied to Argon2 and determining > >>its performance. Speed on a typical server is linear in the MT product. > >> > >>The Argon2 family has three variants: I, D, and > >> ID, which differ in the way of reusing memory that has been filled. The > >>I variant makes queries with predictable addresses, whereas D determines > >>the addresses on the fly depending on the current state (and thus the > >>password). The ID variant follows I for the > >> first half of the memory used and D for the rest and while overwriting. > >>Side-channelsThe side-channel attacks, which are of still rising > >> concern in the security community, are applicable to the D variant as > >>the memory addresses and thus information about the password or other > >>secret inputs can be determined from the timing leaks. The I variant is > >>completely invulnerable to this attack, and > >> the ID variant provides only a constant factor improvement for the > >>attacker. > >>Hardware and tradeoffsThe M and T parameters determine the cost of > >>bruteforcing > >> passwords on custom hardware, which is proportional to M2T > >> if we follow the traditional time-area product metric. The time-memory > >>tradeoff analysis [2] shows that the bruteforce cost for the I variant > >>can be changed to M2T/Q(M,T) > >> for some quality function Q. For instance, Q(230,1)=5, > >> Q(230,4)=2.5. > >> > >>The D variant is invulnerable to the approach [2], > >> and the savings factor in the ID variant is upper bounded by factor 2 > >>for all parameters. > >>Defender tradeoff and ultimate > >> recommendationsIn public and private conversations with security > >> architects in the industry we learned that the bottleneck in a system > >>employing the password-hashing function is the function latency rather > >>than memory costs. We then assume that a rational defender would like to > >>maximize the bruteforce costs for the attacker > >> equipped with a list of hashes, salts, and timing information, for fixed > >>computing time on the > >> defender’s machine. In this assumption the defender keeps the MT > >>product constant and maximizes the losses M/Q(M,T). > >> The authors of [2] provides us with attack cost estimates for constant > >>MT = 228,230,232 > >> (measured in iteration-bytes) > >> > >>We ultimately recommend the ID variant with T=1 and maximum M as a > >>default setting for all environments, which is secure > >> against side-channel attacks and prohibit adversarial advantage on > >>dedicated bruteforce hardware. > >> > >> > >>References[1] > >>“Efficiently Computing Data-Independent > >> Memory-Hard Functions” <http://eprint.iacr.org/2016/115.pdf> > >>[2] > >>“Towards Practical Attacks on > >> Argon2i and Balloon Hashing” <http://eprint.iacr.org/2016/759.pdf> > >> > >> > >> > >> > >> > >>On Mon, Mar 27, 2017 at 12:46 PM, <internet-drafts@ietf.org> wrote: > >> > >> > >>A New Internet-Draft is available from the on-line Internet-Drafts > >>directories. > >>This draft is a work item of the Crypto Forum of the IETF. > >> > >> Title : The memory-hard Argon2 password hash and > >>proof-of-work function > >> Authors : Alex Biryukov > >> Daniel Dinu > >> Dmitry Khovratovich > >> Simon Josefsson > >> Filename : draft-irtf-cfrg-argon2-02.txt > >> Pages : 26 > >> Date : 2017-03-27 > >> > >>Abstract: > >> This document describes the Argon2 memory-hard function for password > >> hashing and proof-of-work applications. We provide an implementer > >> oriented description together with sample code and test vectors. The > >> purpose is to simplify adoption of Argon2 for Internet protocols. > >> > >> > >>The IETF datatracker status page for this draft is: > >>https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/ > >> > >>There are also htmlized versions available at: > >>https://tools.ietf.org/html/draft-irtf-cfrg-argon2-02 > >>https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-02 > >> > >>A diff from the previous version is available at: > >>https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-argon2-02 > >> > >> > >>Please note that it may take a couple of minutes from the time of > >>submission > >>until the htmlized version and diff are available at > >>tools.ietf.org <http://tools.ietf.org>. > >> > >>Internet-Drafts are also available by anonymous FTP at: > >>ftp://ftp.ietf.org/internet-drafts/ > >> > >>_______________________________________________ > >>Cfrg mailing list > >>Cfrg@irtf.org > >>https://www.irtf.org/mailman/listinfo/cfrg > >> > >> > >> > >> > >> > >> > >> > >>-- > >>Best regards, > >>Dmitry Khovratovich > >> > >> > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- Best regards, Dmitry Khovratovich
- [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.… Dmitry Khovratovich
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.… Paterson, Kenny
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.… Blocki, Jeremiah M
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.… Paterson, Kenny
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.… Dmitry Khovratovich