IETF Logo Mail Archive

Re: [Cfrg] Balloon-Hashing or Argon2i.

Henry Corrigan-Gibbs <henrycg@stanford.edu> Tue, 31 May 2016 15:57 UTC

Return-Path: <henrycg@stanford.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63A3C12D610 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 08:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.867
X-Spam-Level:
X-Spam-Status: No, score=-4.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GOKLM2fGHM5B for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 08:57:27 -0700 (PDT)
Received: from smtp1.cs.Stanford.EDU (smtp1.cs.stanford.edu [171.64.64.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12A0F12D60C for <cfrg@irtf.org>; Tue, 31 May 2016 08:57:27 -0700 (PDT)
Received: from dn0a22947f.sunet ([10.34.148.127]:59461) by smtp1.cs.Stanford.EDU with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84_2) (envelope-from <henrycg@stanford.edu>) id 1b7m2n-0004uB-KN; Tue, 31 May 2016 08:57:26 -0700
To: Dmitry Khovratovich <khovratovich@gmail.com>
References: <574601EF.60205@ist.ac.at> <574C7E2B.5080700@stanford.edu> <CALW8-7+D6BSzE4ufubZys=6ECn7GUvRQA2CDxKAANgvvOwddqQ@mail.gmail.com>
From: Henry Corrigan-Gibbs <henrycg@stanford.edu>
Message-ID: <1cd036cd-e15b-7f9c-c3d5-28f6e2ef4c2b@stanford.edu>
Date: Tue, 31 May 2016 08:57:24 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <CALW8-7+D6BSzE4ufubZys=6ECn7GUvRQA2CDxKAANgvvOwddqQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scan-Signature: 3c26e552a1044023835a40b863ebedfd
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/BSkjLv2Fk0rSqdX7GaE-XPS8eAo>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Balloon-Hashing or Argon2i.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 15:57:29 -0000

Hi Dmity,

Thanks for taking a look at the paper.

For the purposes of the security proofs, we model the cryptographic 
compression function used in Argon2, Balloon, and scrypt, as a random 
oracle (as is standard). In practice, it is possible to instantiate 
Argon2i or Balloon or scrypt with any cryptographic compression function 
that "behaves like a random oracle." We are agnostic to the choice of 
cryptographic compression function -- we just evaluated our design with 
a few standard ones.

My sense is that Balloon (instantiated with parameter delta=3) and 
Argon2i will run at roughly the same speed, no matter the choice of 
cryptographic compression function. That's because three-pass Argon2i on 
N blocks of memory makes roughly 3N calls to the underlying compression 
function during its execution. Two-round Balloon (the equivalent 
construction, since it makes three passes over memory) makes roughly 7N 
calls to the underlying compression function during its execution.

However, the known attacks on three-pass Argon2i allow the attacker to 
use roughly 2.5x less space than the defender with no time penalty, so 
to force the attacker to use N blocks of space requires the defender to 
run Argon2i with a ~2.5x larger memory buffer (i.e., a buffer of N' = 
2.5N blocks). In this setting, both functions would require ~7N 
invocations of the underlying cryptographic compression function, so the 
performance should be roughly equivalent for the two.

Changing the underlying cryptographic compression function will change 
the absolute performance of both Argon2i and Balloon, but I would expect 
their relative performance to stay close to constant. Indeed, if I 
instantiate Argon2i and Balloon with the compression function defined in 
the Argon2 spec, then I get, on an Intel i7-6700 @ 3.4 GHz:
   Argon2i (2.5 MB buffer): 153 hashes/sec
   Balloon (1.0 MB buffer): 167 hashes/sec

The surprise to us is that getting this sort of performance with Balloon 
is still possible, even though we are able to prove some meaningful 
statements about its security. (Of course, the Alwen-Blocki attacks 
still apply for large enough parameter sizes.)

Henry


On 5/31/16 7:02 AM, Dmitry Khovratovich wrote:
> Dear Henry,
>
> thank you for the updated paper.
>
> We appreciate your work on lower-bounding the Argon2i tradeoff
> resistance, it is a very interesting result, and we hope to mention it
> in the specification. However for your proof to work you instantiate
> Argon2  with a collision resistant hash function. During the competition
> it became clear that collision-resistance of the inner function is not
> needed in practice, since the attacker does not control intermediate
> variables. It is similar to the situation with block-ciphers like AES
> where a single round is cryptographically weak, though you might want it
> to be a keyed PRP for the sake of a proof. Worse enough, a full-round
> hash function with a narrow block implies more frequent random memory
> access and more CPU load, which together make a terrible impact on the
> performance. That's why we never defined Argon2 for such hash functions,
> and recommend not calling such modifications "Argon2".
>
> This observation and possibly use of your own code for Argon2 causes
>  performance comparison of your Balloon Hash design with Argon2i and
> other designs to be incorrect.
>
> in the introduction you write
> "if we ... run the construction for five “rounds” of hashing, and set
> the space parameter to require the attacker to use 1 MiB of working
> space to compute the function, then we can compute Balloon Hashes at the
> rate of 13 hashes per second on a modern server, compared with 12.8 for
> Argon2i, and 2.1 for Catena DBG".
>
> This statement underestimates the Argon2i performance by the factor of
> 30 (!) or so.
>
> In detail. Argon2i makes much more than 13 hashes per second using 5
> iterations and 1 MiB of memory. On my 2-core 2.3 GHz (i5-6200) laptop
>  it computes 1000 hashes in 5.1-5.3 Gigacycles, thus averaging more than
> 400 hashes per second. I modified our benchmark settings for that, but
> even with default ones (3 iterations, 1 hash) everyone can observe
> similar performance by running 'make bench' +'./bench' using the source
> in https://github.com/P-H-C/phc-winner-argon2
>
> In the further text you write
> "Let an authentication server must perform 100 hashes per second per
> four-core machine, ... At the same authentication rate, Argon2i requires
> the attacker to use a smaller buffer—roughly 1.5 MiB for the one-pass
> variant".
>
> This is again incorrect. Here are the numbers for 1-pass Argon2i: 2MiB:
> 225Mcycles, 16MiB: 1174 Mcycles, 32 MiB: 2532 Mcycles (a bit more than 1
> second).
>
> So there is a factor of 20 underestimate here. (We also remind that
> 1-pass Argon2i was never  recommended for practical use.)
>
> Best regards,
> the Argon2 team
>
> On Mon, May 30, 2016 at 7:53 PM, Henry Corrigan-Gibbs
> <henrycg@stanford.edu <mailto:henrycg@stanford.edu>> wrote:
>
>     Hi Joel,
>
>     Since I am one of the designers of the Balloon Hashing algorithm, it
>     would be difficult for me to give an unbiased opinion on the pros
>     and cons of Argon2i versus Balloon.
>
>     That said, we just updated the Balloon Hashing paper on ePrint:
>     http://eprint.iacr.org/2016/027
>
>     The revised paper includes some new results that might be relevant
>     to CFRG discussions on password hashing. Let me summarize the new
>     results here:
>
>
>     (1) We prove (in the single-instance, random-oracle model) a new,
>     stronger memory-hardness claim about the Balloon algorithm. We show
>     that computing one instance of the Balloon function with space S and
>     time T requires a space-time product that (roughly) satisfies:
>     S . T >= n^2 / 8.
>     As the adversary's space usage drops below a certain threshold
>     (which depends on the parameter settings) the trade-off gets even
>     worse for the adversary.
>
>
>     (2) We refine the analysis of the single-buffer Balloon algorithm,
>     and the refined analysis allows us to dramatically improve the
>     parameters of the scheme. After this change, the performance of the
>     single-buffer Balloon function *meets or exceeds* that of Argon2i
>     when we instantiate both with Blake2b as the underlying
>     cryptographic hash function. (Consult the paper for the details on
>     this.) The single-buffer Balloon algorithm runs so quickly now that
>     we decided that the other two Balloon variants (double-buffer and
>     linear) were superfluous. The revised paper includes only the
>     single-buffer scheme, which we now just call the "Balloon algorithm".
>
>
>     (3) We discuss your (very cool) recent paper on parallel attacks on
>     iMHFs and give some ideas on how to ameliorate them in the context
>     of password hashing. Our recommendation is to follow Balloon Hashing
>     with one round of scrypt (or even data-dependent Balloon). This
>     composition apparently defends against either parallel attacks or
>     cache attacks -- just not both at the same time. The design of the
>     Argon2id function uses a similar idea. To us, this seems like a nice
>     compromise between functionality and security.
>
>
>     (4) We apply our analysis techniques to prove that Argon2i and a
>     simplified variant of scrypt are also memory-hard, though with
>     looser constants than one might like. We show that these two
>     algorithms (again, in the single-instance random-oracle model)
>     require space S and time T such that:
>     S . T >= n^2 / C
>     to compute with good probability. For Argon2i, we can prove this
>     statement for C=192, and for scrypt with C=24. In contrast, we prove
>     the claim with C=8 for Balloon, and we additionally prove much
>     stronger time-space trade-offs for Balloon for very-small-space
>     adversaries. From a "provable security" perspective then, Balloon
>     seems to have an edge over the other practical constructions out there.
>
>
>     If you find bugs or omissions in the ePrint draft, please let me know.
>
>     Henry
>
>
>
>     On 05/25/2016 12:50 PM, Joel Alwen wrote:
>
>         I was wondering what peoples opinion is on standardizing the
>         double-buffer balloon hashing (DB) construction rather than Argon2i.
>         Both in terms of arguments for and against.
>
>         I'm sure other people have thought about this much more though
>         so I'd
>         love to hear what people think...
>
>         - Joel
>
>         _______________________________________________
>         Cfrg mailing list
>         Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>         https://www.irtf.org/mailman/listinfo/cfrg
>
>
>     _______________________________________________
>     Cfrg mailing list
>     Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>     https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
>
> --
> Best regards,
> Dmitry Khovratovich

v2.23.0 | Report a Bug | By Email