IETF Logo Mail Archive

Re: [Cfrg] Security analysis of scrypt

Bill Cox <waywardgeek@gmail.com> Wed, 10 February 2016 19:36 UTC

Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77481B2F13 for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 11:36:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4SsJ3CV7a0q for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 11:36:29 -0800 (PST)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A2BE1B2F0F for <cfrg@irtf.org>; Wed, 10 Feb 2016 11:36:29 -0800 (PST)
Received: by mail-ob0-x22a.google.com with SMTP id is5so42702936obc.0 for <cfrg@irtf.org>; Wed, 10 Feb 2016 11:36:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rngycOkLIaBUzge53q/vcAj5e1lpJMLnQFXmq9jqJac=; b=cwEKtqFMStYFE0umoNH6899PnOTnAXPQ1qTNzTMHuKenIes0cAkdJVR2H2qCEKY3pl w1gwJoNdE7J3S2jHpTuHN+qnLav3Pb0rHvBWoE91HqvCSB0uZ0VR31gqswKJQbWol/WG FLW/zZnHTmlABA54qSd/X/HfQPIeVFfINTiI59dOtpmSxoZU5w6z34DVXN0MeoaBOsAS xZEN18OS6xkB84/i7k+bUmnHNjKAEoHPQ2F/BG2QWqEGx0qZkzPAaCTAkiVUcZq3Bp0e nz7TlmDAcu3TkeeE3l3+9VlBW1MbP656K2RtqVj4FKQ715qDWwgG6R9UounHY4NIw3ph T71w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=rngycOkLIaBUzge53q/vcAj5e1lpJMLnQFXmq9jqJac=; b=AL0I8vYupNJHldAgWm0zYeVN+m3SlnjpwHe60zuntX4Z1iGhU1azACYecUZaf0Ikfs QBu37QhJLzYgAHR8NlrMbLxVmjl2KytXdCPQjlmXlYNHshO5NOpqUnp6WG+QLUTuZogS UCWuBiwnl1LiUq9gk7ieakd2I+sXX4YCEkm0ZK9wFDpmPOqEAzf52UVks+zrcSCDJm/A akMd8iowqMuhrWNxpfvQB0YbZrqn8RlOgn8+eAqk1W/+AgrzBhf55qTO4+5Vjcc1QXL8 /qJHW7Be0Dpavg3P4Z9u1tesI46daweDhD3YFY2TC/3wxxfneNwSKTxUqj9uLY82Eqf0 i/Ow==
X-Gm-Message-State: AG10YOQNLDcDwO27FJbBnwcqOl2bw4Aod4EexbviXUT10yZkg7z4/v1mSZxmsvlQxj4dSde1Vw5QEHh+hHzD7g==
MIME-Version: 1.0
X-Received: by 10.182.118.137 with SMTP id km9mr39784990obb.50.1455132988833; Wed, 10 Feb 2016 11:36:28 -0800 (PST)
Received: by 10.60.29.196 with HTTP; Wed, 10 Feb 2016 11:36:28 -0800 (PST)
In-Reply-To: <aaae2181e7274ad1b469c0302e182c65@ustx2ex-dag1mb1.msg.corp.akamai.com>
References: <CAEB_pdf5ckqEtwC9N80YhNoqh77xPY2zJfuWq_BUio9wqg+Qxg@mail.gmail.com> <aaae2181e7274ad1b469c0302e182c65@ustx2ex-dag1mb1.msg.corp.akamai.com>
Date: Wed, 10 Feb 2016 11:36:28 -0800
Message-ID: <CAOLP8p55r-r=WQm1u9CJgcZ=LbstV2FBT_uYR9=iyi+hSEhreA@mail.gmail.com>
From: Bill Cox <waywardgeek@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="089e015366c2e6bb80052b6f8cef"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/AYTJZyLYh2hl5Jhgqecbk97hHxE>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Security analysis of scrypt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 19:36:31 -0000

On Wed, Feb 10, 2016 at 10:52 AM, Salz, Rich <rsalz@akamai.com> wrote:

>
> > http://eprint.iacr.org/2016/100.pdf
>
> Got a one-paragraph summary that uses little words and small numbers? :)


I read through the results, but skipped the mathematical proofs.  The
results are very cool.  Basically, the "cost" we typically use to rate
memory-hard functions is "memory*time", where an attacker must use M memory
for T time steps.  We generally assume Scrypt and related functions may
have a time-memory tradeoff, but that the memory*time security remains
intact regardless of the TMTO (though an attacker can gain a small constant
improvement: 4X in the case of Scrypt, smaller in the case of Argon2d).
IIUC, with some reasonable assumptions, they claim to prove that the
"cc(G)", which is the optimal "cumulative memory complexity" possible by
any attacker algorithm has a lower bound proportional to n^2/log^2(n).
Since cc(G) is a lower bound on memory*time, this fits closely with the
common belief that memory*time security goes as the square of the memory
for a data-dependent memory-hard algorithm, such as Scrypt and Argon2d.

This is why I prefer algorithms like Argon2d in applications where
side-channel resistance is not critical.  In the PHC, we were not able to
present compelling security proofs for the memory*time improvement in
data-dependent algorithms vs side-channel resistant algorithms, and in the
end, the judges were split, which is one reason Argon2 won, as it provides
both.  I found that generally, we see around 3X better memory*time defense
in data dependent algorithms when comparing one-pass algorithms, but
without a proof of the memory*time hardness of data-dependent algorithms, I
think there were a lot of doubters.

This is an excellent result, IMO.

Bill

v2.23.0 | Report a Bug | By Email