Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
Joel Alwen <jalwen@ist.ac.at> Tue, 31 May 2016 10:00 UTC
Return-Path: <jalwen@ist.ac.at>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026D012D6E4 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 03:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.427
X-Spam-Level:
X-Spam-Status: No, score=-3.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ist.ac.at
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wfx_Z19VB38M for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 03:00:53 -0700 (PDT)
Received: from mx1.ist.ac.at (mx1.ist.ac.at [193.170.152.98]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE96912D6E2 for <cfrg@irtf.org>; Tue, 31 May 2016 03:00:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ist.ac.at; i=@ist.ac.at; q=dns/txt; s=ist2009; t=1464688852; x=1496224852; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=INuAZvmyJv3WHKdRFg4CFvp/B5RStY84vNwrgPGonjc=; b=fO33XAnWEikWdwuKA5533QKsPl3itwr7wzJ+k3cMC83G7XZXfg5CWjfW 02MPkYOr3SqLbz6KHGregLV3QWaytdcl3FQwM2VYgMrEdJNhQDE1yF2K+ FjIpa0uJrknuo52Dk9HKmahmvkHf3xFF4j31NpKg31zCfpM//r6zUF7ty PU1ePkGO/G8pWGimNL1siVK+NNrj2SYvBb9AIQS/YFkYSCNlHlEWz2BDy BduibNOEgFhfFIpBe3T1rfyXAyO/Riw+RZgOlCsHT/LwEWGhTX4maNtWC m+dNg6XfN9DDjPfGiu7cIqPaIRjGyrCoX4MtutSeNhCHMh45jWScd3Wab Q==;
X-IronPort-AV: E=Sophos;i="5.26,395,1459807200"; d="scan'208";a="5472381"
Received: from lserv46.ista.local ([10.15.21.55]) by ironport-intern.ista.local with ESMTP; 31 May 2016 12:00:49 +0200
Received: from sslmail1.ist.ac.at (sslmail1.ista.local [10.15.21.69]) by lserv46.ista.local (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u4VA0lXS003476; Tue, 31 May 2016 12:00:48 +0200
Received: from [192.168.0.51] (84-114-240-28.dynamic.surfer.at [84.114.240.28]) (authenticated bits=0) by sslmail1.ist.ac.at (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u4VA0l5l018137 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 31 May 2016 12:00:47 +0200
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>, Dmitry Khovratovich <khovratovich@gmail.com>, cfrg@irtf.org, Alex Biryukov - UNI <alex.biryukov@uni.lu>, Daniel Dinu <dumitru-daniel.dinu@uni.lu>
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com> <57460090.9040901@ist.ac.at> <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com>
From: Joel Alwen <jalwen@ist.ac.at>
Message-ID: <574D60C5.80309@ist.ac.at>
Date: Tue, 31 May 2016 12:00:37 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Lsqu5fUDG8CqO7YtkuXCiAXNU1U>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 10:00:56 -0000
> Furthermore, my understanding is that the Alwen-Blocki attack on > Argon2i isn't more efficient than attacks already documented, as > discussed in 5.6 in > https://www.cryptolux.org/images/0/0d/Argon2.pdf. So I don't see > these new results as a showstopper. Actually the Alwen-Blocki is more efficient then other known attacks both in terms of asymptotic and exact constants for interesting parameter ranges. This is already true for the worst case analysis in the paper. (See my earlier email in this thread for and references on this.) Moreover there is good reason to believe that it will behave far better in practice and that it can also be further improved. To be clear: I am neither advocating for nor against Argon2i (or any other algorithm). My intention at this point is to clarify what is actually known about Argon2i. As to why I responded positively to Kenny's question about having a new PHC *in an ideal world*; the reason is that recent results both in terms of attacks and security proofs all point towards a new desirable property of an iMHF. That is the underlying DAG of the iMHF should have a specific combinatoric property (called depth-robustness). Not only is being depth-robust necessary to avoid the AB16 attack, it also allows us to make provable security type statements. However constructing the most efficient & simple such graphs is not a trivial task, especially not ones which result in the strongest possible provable security statements. As such a, concerted effort to produce the best such graph combined with other properties we have learned about in the previous PHC would likely result in a significantly improved iMHF compared to everything we currently have available. Of course we may not want to wait for this, nor spend the energy on it. My reasoning and response were mindful of the "in an ideal world" part of the question. - joel On Wed, May 25, 2016 at 9:44 PM Joel Alwen <jalwen@ist.ac.at > <mailto:jalwen@ist.ac.at>> wrote: > > >> 3. The best attacks on Argon2, published in the original design >> document in early 2015, have factor 1.3 for Argon2d and factor 3 >> for Argon2i. >> >> 4. The best attack found by Alwen and Blocki has factor 2 for >> Argon2i. >> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack >> is upper bounded by (M^{1/4})/36, where M is the number of >> kilobytes used by Argon2i. Thus the attack has factor 2 with >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf > > I believe the results of Alwen-Blocki (AB16) actually show that at > least 6 passes over memory are required for the above suggested > parameters. - See Corollary 5.6 in [1] - See Figure 1(a) in [1] and > paragraph titled "Parameter Optimization" > > [1] https://eprint.iacr.org/2016/115 > > Moreover, I think it important to note that the analysis of the > attack complexity in [1] is very "worst case" in several ways and > that this leaves room for significantly improvements in practice. > And of course the analysis was not optimized for concrete parameters > such as those mentioned above. > > Basically I think there are several good reasons to believe that 6 > passes over memory are also not sufficient to avoid the attack. > > - Joel > > > > > On 05/21/2016 04:38 AM, Dmitry Khovratovich wrote: >> Some clarifications due to the increased attention to the paper by >> Alwen and Blocki, which has been presented at the recent Eurocrypt >> CFRG meeting. >> >> 1. One of security parameters of memory-hard password hashing >> functions is how much an ASIC attacker can reduce the area-time >> product (AT) of a password cracker implemented on ASIC. The AT is >> conjectured to be proportional to the amortized cracking cost per >> password. >> >> 2. The memory-hard functions with input-independent memory access >> (such as Argon2i) have been known for its relatively larger >> AT-reduction factor compared to functions with input-dependent >> memory access (such as Argon2d). To mitigate this, the minimum of >> 3 passes over memory for Argon2i was set. >> >> 3. The best attacks on Argon2, published in the original design >> document in early 2015, have factor 1.3 for Argon2d and factor 3 >> for Argon2i. >> >> 4. The best attack found by Alwen and Blocki has factor 2 for >> Argon2i. >> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack >> is upper bounded by (M^{1/4})/36, where M is the number of >> kilobytes used by Argon2i. Thus the attack has factor 2 with >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf >> >> Best regards, Argon2 team >> >> On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich >> <khovratovich@gmail.com <mailto:khovratovich@gmail.com> > <mailto:khovratovich@gmail.com <mailto:khovratovich@gmail.com>>> > wrote: >> >> Dear all, >> >> as explained in a recent email >> http://article.gmane.org/gmane.comp.security.phc/3606 , we are >> fully aware of the analysis of Argon2i made by Corrigan-Gibbs et >> al. , we know how to mitigate the demonstrated effect, and have >> already made some benchmarks on the patch. >> >> Soon after the Crypto deadline (Feb-9) we will develop a new >> release including code, rationale, and test vectors. >> >> -- Best regards, the Argon2 team. >> >> >> >> >> -- Best regards, Dmitry Khovratovich >> >> >> _______________________________________________ Cfrg mailing list >> Cfrg@irtf.org <mailto:Cfrg@irtf.org> > https://www.irtf.org/mailman/listinfo/cfrg >> > -
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paul Grubbs
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document marshalko_gb
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG do… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] adopting Argon2 as a CFRG document Jeremiah Blocki
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Stefano Tessaro