Re: [Cfrg] Security analysis of scrypt
Bill Cox <waywardgeek@gmail.com> Wed, 10 February 2016 19:36 UTC
Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77481B2F13 for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 11:36:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4SsJ3CV7a0q for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 11:36:29 -0800 (PST)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A2BE1B2F0F for <cfrg@irtf.org>; Wed, 10 Feb 2016 11:36:29 -0800 (PST)
Received: by mail-ob0-x22a.google.com with SMTP id is5so42702936obc.0 for <cfrg@irtf.org>; Wed, 10 Feb 2016 11:36:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rngycOkLIaBUzge53q/vcAj5e1lpJMLnQFXmq9jqJac=; b=cwEKtqFMStYFE0umoNH6899PnOTnAXPQ1qTNzTMHuKenIes0cAkdJVR2H2qCEKY3pl w1gwJoNdE7J3S2jHpTuHN+qnLav3Pb0rHvBWoE91HqvCSB0uZ0VR31gqswKJQbWol/WG FLW/zZnHTmlABA54qSd/X/HfQPIeVFfINTiI59dOtpmSxoZU5w6z34DVXN0MeoaBOsAS xZEN18OS6xkB84/i7k+bUmnHNjKAEoHPQ2F/BG2QWqEGx0qZkzPAaCTAkiVUcZq3Bp0e nz7TlmDAcu3TkeeE3l3+9VlBW1MbP656K2RtqVj4FKQ715qDWwgG6R9UounHY4NIw3ph T71w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=rngycOkLIaBUzge53q/vcAj5e1lpJMLnQFXmq9jqJac=; b=AL0I8vYupNJHldAgWm0zYeVN+m3SlnjpwHe60zuntX4Z1iGhU1azACYecUZaf0Ikfs QBu37QhJLzYgAHR8NlrMbLxVmjl2KytXdCPQjlmXlYNHshO5NOpqUnp6WG+QLUTuZogS UCWuBiwnl1LiUq9gk7ieakd2I+sXX4YCEkm0ZK9wFDpmPOqEAzf52UVks+zrcSCDJm/A akMd8iowqMuhrWNxpfvQB0YbZrqn8RlOgn8+eAqk1W/+AgrzBhf55qTO4+5Vjcc1QXL8 /qJHW7Be0Dpavg3P4Z9u1tesI46daweDhD3YFY2TC/3wxxfneNwSKTxUqj9uLY82Eqf0 i/Ow==
X-Gm-Message-State: AG10YOQNLDcDwO27FJbBnwcqOl2bw4Aod4EexbviXUT10yZkg7z4/v1mSZxmsvlQxj4dSde1Vw5QEHh+hHzD7g==
MIME-Version: 1.0
X-Received: by 10.182.118.137 with SMTP id km9mr39784990obb.50.1455132988833; Wed, 10 Feb 2016 11:36:28 -0800 (PST)
Received: by 10.60.29.196 with HTTP; Wed, 10 Feb 2016 11:36:28 -0800 (PST)
In-Reply-To: <aaae2181e7274ad1b469c0302e182c65@ustx2ex-dag1mb1.msg.corp.akamai.com>
References: <CAEB_pdf5ckqEtwC9N80YhNoqh77xPY2zJfuWq_BUio9wqg+Qxg@mail.gmail.com> <aaae2181e7274ad1b469c0302e182c65@ustx2ex-dag1mb1.msg.corp.akamai.com>
Date: Wed, 10 Feb 2016 11:36:28 -0800
Message-ID: <CAOLP8p55r-r=WQm1u9CJgcZ=LbstV2FBT_uYR9=iyi+hSEhreA@mail.gmail.com>
From: Bill Cox <waywardgeek@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="089e015366c2e6bb80052b6f8cef"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/AYTJZyLYh2hl5Jhgqecbk97hHxE>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Security analysis of scrypt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 19:36:31 -0000
On Wed, Feb 10, 2016 at 10:52 AM, Salz, Rich <rsalz@akamai.com> wrote: > > > http://eprint.iacr.org/2016/100.pdf > > Got a one-paragraph summary that uses little words and small numbers? :) I read through the results, but skipped the mathematical proofs. The results are very cool. Basically, the "cost" we typically use to rate memory-hard functions is "memory*time", where an attacker must use M memory for T time steps. We generally assume Scrypt and related functions may have a time-memory tradeoff, but that the memory*time security remains intact regardless of the TMTO (though an attacker can gain a small constant improvement: 4X in the case of Scrypt, smaller in the case of Argon2d). IIUC, with some reasonable assumptions, they claim to prove that the "cc(G)", which is the optimal "cumulative memory complexity" possible by any attacker algorithm has a lower bound proportional to n^2/log^2(n). Since cc(G) is a lower bound on memory*time, this fits closely with the common belief that memory*time security goes as the square of the memory for a data-dependent memory-hard algorithm, such as Scrypt and Argon2d. This is why I prefer algorithms like Argon2d in applications where side-channel resistance is not critical. In the PHC, we were not able to present compelling security proofs for the memory*time improvement in data-dependent algorithms vs side-channel resistant algorithms, and in the end, the judges were split, which is one reason Argon2 won, as it provides both. I found that generally, we see around 3X better memory*time defense in data dependent algorithms when comparing one-pass algorithms, but without a proof of the memory*time hardness of data-dependent algorithms, I think there were a lot of doubters. This is an excellent result, IMO. Bill
- [Cfrg] Security analysis of scrypt Stefano Tessaro
- Re: [Cfrg] Security analysis of scrypt Salz, Rich
- Re: [Cfrg] Security analysis of scrypt Paul Grubbs
- Re: [Cfrg] Security analysis of scrypt Stefano Tessaro
- Re: [Cfrg] Security analysis of scrypt Stefano Tessaro
- Re: [Cfrg] Security analysis of scrypt Paul Grubbs
- Re: [Cfrg] Security analysis of scrypt Bill Cox
- Re: [Cfrg] Security analysis of scrypt Stefano Tessaro