Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
Bill Cox <waywardgeek@gmail.com> Tue, 16 February 2016 19:42 UTC
Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EC851B2A10 for <cfrg@ietfa.amsl.com>; Tue, 16 Feb 2016 11:42:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.5
X-Spam-Level:
X-Spam-Status: No, score=0.5 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-OXh0ff13RJ for <cfrg@ietfa.amsl.com>; Tue, 16 Feb 2016 11:42:34 -0800 (PST)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6C361ACDBD for <cfrg@irtf.org>; Tue, 16 Feb 2016 11:42:34 -0800 (PST)
Received: by mail-ob0-x232.google.com with SMTP id xk3so273863216obc.2 for <cfrg@irtf.org>; Tue, 16 Feb 2016 11:42:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=05lauxIre9t8pYg270iRx7ADaclgl+xitOXknXxXcgo=; b=tsK5cuM0eTkM4NVFXZ3Az88n12QGWOIHU7SRSnaoHkOl6i5+2vMnBh0AYQu/bIy4Mt 96zsrFeUfnx9/wYy9pLaDImebmLEuUEEUBkhEy+Is7H7ZD/GEDhikla9e+OqYKdTVuvf qAGxZOFKGxnBA3zQtpdsB87B1++mr1l5+KCXHoxdnh26J+LeH9JywMpIWZARDoOLod1J krORlJcNeYus03eCGrQUhIoMW4J/O14Op1IAswJkMJegjQhsu0aCJH11ztTHdkd1tiXF Mb4ISofT4odnoGWD74tarkKlOMofidDV8fYVKYY/ytJz/UgrWOO+nvotswM3epJYIRZN DsBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=05lauxIre9t8pYg270iRx7ADaclgl+xitOXknXxXcgo=; b=LHOCrRLIE0wkZClX2hTmqNyrOVo3qjorMkNlLfM42fm4MxsspOdsEkK81v5X+up42l kb4bn7IlMFBmJ08imhR9DZHGjxK1K+x04Brvvjssty+hDRc3g9MxBHRaX1WPA4yGSRyt fqC81HIDmOUUyHJ+8yV65ppyvRGJHsKWWSx/P9aSa94bnuY+UB8g4FQLU7xPkNGGl6kG TI9FKoH9O/27cSOom//36XEc2MKRDnb6Xj2QgrFOAwZUFpAPpicz3PiIPYejz4aV7LL5 SPVZercKFlCddPNfUHNagCj5XpgGqs4yQCKZJisxpjUGb++bEnm1TApznd8huH2Y0wOs NrVg==
X-Gm-Message-State: AG10YORjMafsFlbuQh5VkWvlYl8F9ypgIKJkvv3Q3z4VrJdSvlwEmfzDeXz4XqdH1eWxAvKoeOi6czseQNkykQ==
MIME-Version: 1.0
X-Received: by 10.202.95.68 with SMTP id t65mr16949235oib.7.1455651754049; Tue, 16 Feb 2016 11:42:34 -0800 (PST)
Received: by 10.60.29.196 with HTTP; Tue, 16 Feb 2016 11:42:33 -0800 (PST)
In-Reply-To: <56C1F773.6030504@ist.ac.at>
References: <56BE045F.4060103@ist.ac.at> <CAKDPBw_0g=wLTpCpDWut63UBsxq6wwuVSx8OT0Ke7GK6Kd-Xig@mail.gmail.com> <CAOLP8p4X4Xhm1Nix0DC7bfrjmmAK1YfYM7tZb=8tcY0P2GQE3A@mail.gmail.com> <56C1F773.6030504@ist.ac.at>
Date: Tue, 16 Feb 2016 11:42:33 -0800
Message-ID: <CAOLP8p6LBobLv5vw7dw1vTyg08L7Cg0BusN93VtA+xQp6q7aVQ@mail.gmail.com>
From: Bill Cox <waywardgeek@gmail.com>
To: Joel Alwen <jalwen@ist.ac.at>
Content-Type: multipart/alternative; boundary="001a113cdb14b78b59052be85523"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/JJUuLnIVimhuALG3FwDkbBGlxgg>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2016 19:42:37 -0000
I think the CFRG should feel free to move forward with Agon2i and Argon2d, once the authors address the recent TMTO against Argon2i. You have convinced me that bringing up alternatives like Argon2id muddies the waters, and should be avoided for now. On Mon, Feb 15, 2016 at 8:06 AM, Joel Alwen <jalwen@ist.ac.at> wrote: > > I would stick to Argon2id, which offers some protection against > > certain cache-timing attacks, but still leaks meta-data such as > > whether or not the user who is authenticating has been seen before. > > Which type of timing attacks does Argon2id protect against? (Is there > any where I can read more about timing attacks on Argon2 or other > dynamic MHFs?) I think the recent paper on Scrypt <http://eprint.iacr.org/2016/100.pdf> is applicable to both Argon2d and Argon2id in terms of off-line defense without side-channel data. AFAIK, there has been no formal analysis of hybrid-MHFs like Argon2id. > > > AFAIK, Argon2id has the same memory*time defense as Argon2d, so it > > seems like a no-brainer to use Argon2id rather than Argon2d, IMO. > > I think for the same memory-cost parameter and passes over memory > Argon2d would actually be (at least somewhat) more memory-hard than > Argon2id. In particular the first pass over memory of Argon2id would > still be susceptible to the Argon2i TMTO attack. So "Argon2d level > security" only holds for subsequent passes. In contrast for Argon2d it > holds from the get-go. > Actually, with t=1, Argon2id fills the first half of memory in a side-channel resistant manner, and the second half in an unpredictable data-dependent manner. The CC metric when attacking Argon2id would be somewhat lower than Argon2d, since less memory could be used in the first 1/2 of memory, but the difference is a small constant factor, since the second half of memory is required just the same as Argon2d. There is a trade-off here. The more passes over memory the smaller the > security gap between Argon2id and Argon2d. However this also decreases > any added cache-timing attack resistance Argon2id has over Argon2d. > Moreover it makes the MHF less efficient in terms of > memory-hardness/computational-cost. > I agree. Generally I prefer a single-pass algorithm when using data-dependent MHFs, though Yescrypt has an interesting mode where only a partial second pass is done. > Put differently for memory-cost m and number of passes t the runtime > (i.e. computational cost) is about m*t. But the cumulative memory > complexity is (ideally) m^2*t. So to maximise > memory-hardness/computational-cost we really want t=1. In most applications, I agree t should be 1 for data-dependent MHFs. > However if t=1 > then Argon2id collapses to Argon2i This isn't quite right, since both iMHF and dMHF are done in one pass. > so we would only get about m^{7/4} > memory-hardness. In contrast, with Argon2d I believe we would get much > closer to m^2 memory-hardness. > I agree. In particular, I would be surprised to hear that someone finds an attack on 1-pass Argon2d or Argon2id that is better than O(m^2) CC complexity. Lowering memory by more than about 8X results in having to recompute a significant fraction of all prior memory for each new block computed, so I do not see how to avoid O(m^2) memory*time. > So basically I would only recommend Argon2id over Argon2d for > applications that are willing to tolerate a low through-put MHF. > > TBH, I don't yet see a great solution when timing-attacks are a concern > but we also want large memory-hardness for minimal computation. > > - Joel > There is clearly still work to be done here. I have yet to see a compelling iMHF that combines both high TMTO resistance and high performance. However, I would be surprised to see more than a constant factor improvement vs Argon2i, assuming it is changed to XOR over memory in later passes. I wrote an automated pebbler <https://github.com/waywardgeek/twocats/tree/master/tools/pebble> to guesstimate the hardness of the different iMHFs. It might be due to flaws in my pebbling algorithm, but Gambit's simple memory access pattern worked best to defeat my pebbler, and it already XORs over memory. I would swap out the Keccak sponge for the much faster one used in Lyra2, but once that's done, Gambit seems both simple and resistant to TMTOs, though I have no proof of it's superior resistance. It seems like a good algorithm, but I would not recommend it without more analysis that has been done to date. Bill
- [Cfrg] Memory-efficient evaluation of data-indepe… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Paul Grubbs
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox
- Re: [Cfrg] Memory-efficient evaluation of data-in… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox