IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document

Joel Alwen <jalwen@ist.ac.at> Tue, 31 May 2016 10:00 UTC

Return-Path: <jalwen@ist.ac.at>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026D012D6E4 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 03:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.427
X-Spam-Level:
X-Spam-Status: No, score=-3.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ist.ac.at
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wfx_Z19VB38M for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 03:00:53 -0700 (PDT)
Received: from mx1.ist.ac.at (mx1.ist.ac.at [193.170.152.98]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE96912D6E2 for <cfrg@irtf.org>; Tue, 31 May 2016 03:00:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ist.ac.at; i=@ist.ac.at; q=dns/txt; s=ist2009; t=1464688852; x=1496224852; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=INuAZvmyJv3WHKdRFg4CFvp/B5RStY84vNwrgPGonjc=; b=fO33XAnWEikWdwuKA5533QKsPl3itwr7wzJ+k3cMC83G7XZXfg5CWjfW 02MPkYOr3SqLbz6KHGregLV3QWaytdcl3FQwM2VYgMrEdJNhQDE1yF2K+ FjIpa0uJrknuo52Dk9HKmahmvkHf3xFF4j31NpKg31zCfpM//r6zUF7ty PU1ePkGO/G8pWGimNL1siVK+NNrj2SYvBb9AIQS/YFkYSCNlHlEWz2BDy BduibNOEgFhfFIpBe3T1rfyXAyO/Riw+RZgOlCsHT/LwEWGhTX4maNtWC m+dNg6XfN9DDjPfGiu7cIqPaIRjGyrCoX4MtutSeNhCHMh45jWScd3Wab Q==;
X-IronPort-AV: E=Sophos;i="5.26,395,1459807200"; d="scan'208";a="5472381"
Received: from lserv46.ista.local ([10.15.21.55]) by ironport-intern.ista.local with ESMTP; 31 May 2016 12:00:49 +0200
Received: from sslmail1.ist.ac.at (sslmail1.ista.local [10.15.21.69]) by lserv46.ista.local (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u4VA0lXS003476; Tue, 31 May 2016 12:00:48 +0200
Received: from [192.168.0.51] (84-114-240-28.dynamic.surfer.at [84.114.240.28]) (authenticated bits=0) by sslmail1.ist.ac.at (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u4VA0l5l018137 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 31 May 2016 12:00:47 +0200
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>, Dmitry Khovratovich <khovratovich@gmail.com>, cfrg@irtf.org, Alex Biryukov - UNI <alex.biryukov@uni.lu>, Daniel Dinu <dumitru-daniel.dinu@uni.lu>
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com> <57460090.9040901@ist.ac.at> <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com>
From: Joel Alwen <jalwen@ist.ac.at>
Message-ID: <574D60C5.80309@ist.ac.at>
Date: Tue, 31 May 2016 12:00:37 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Lsqu5fUDG8CqO7YtkuXCiAXNU1U>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 10:00:56 -0000

> Furthermore, my understanding is that the Alwen-Blocki attack on 
> Argon2i isn't more efficient than attacks already documented, as 
> discussed in 5.6 in
> https://www.cryptolux.org/images/0/0d/Argon2.pdf. So I don't see
> these new results as a showstopper.

Actually the Alwen-Blocki is more efficient then other known attacks
both in terms of asymptotic and exact constants for interesting
parameter ranges. This is already true for the worst case analysis in
the paper. (See my earlier email in this thread for and references on
this.) Moreover there is good reason to believe that it will behave far
better in practice and that it can also be further improved.

To be clear: I am neither advocating for nor against Argon2i (or any
other algorithm). My intention at this point is to clarify what is
actually known about Argon2i.


As to why I responded positively to Kenny's question about having a new
PHC *in an ideal world*; the reason is that recent results both in terms
of attacks and security proofs all point towards a new desirable
property of an iMHF. That is the underlying DAG of the iMHF should have
a specific combinatoric property (called depth-robustness). Not only is
being depth-robust necessary to avoid the AB16 attack, it also allows us
to make provable security type statements. However constructing the most
efficient & simple such graphs is not a trivial task, especially not
ones which result in the strongest possible provable security
statements. As such a, concerted effort to produce the best such graph
combined with other properties we have learned about in the previous PHC
would likely result in a significantly improved iMHF compared to
everything we currently have available. Of course we may not want to
wait for this, nor spend the energy on it. My reasoning and response
were mindful of the "in an ideal world" part of the question.

- joel

 On Wed, May 25, 2016 at 9:44 PM Joel Alwen <jalwen@ist.ac.at
> <mailto:jalwen@ist.ac.at>> wrote:
> 
> 
>> 3. The best attacks on Argon2, published in the original design 
>> document in early 2015, have factor 1.3 for Argon2d and factor 3 
>> for Argon2i.
>> 
>> 4. The best attack found by Alwen and Blocki has factor 2 for 
>> Argon2i.
>> 
>> 5. In a bit more details, the advantage of the Alwen-Blocki attack
>>  is upper bounded by (M^{1/4})/36, where M is the number of 
>> kilobytes used by Argon2i. Thus the attack has factor 2 with
>> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
>> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
> 
> I believe the results of Alwen-Blocki (AB16) actually show that at 
> least 6 passes over memory are required for the above suggested 
> parameters. - See Corollary 5.6 in [1] - See Figure 1(a) in [1] and 
> paragraph titled "Parameter Optimization"
> 
> [1] https://eprint.iacr.org/2016/115
> 
> Moreover, I think it important to note that the analysis of the 
> attack complexity in [1] is very "worst case" in several ways and 
> that this leaves room for significantly improvements in practice.
> And of course the analysis was not optimized for concrete parameters
> such as those mentioned above.
> 
> Basically I think there are several good reasons to believe that 6 
> passes over memory are also not sufficient to avoid the attack.
> 
> - Joel
> 
> 
> 
> 
> On 05/21/2016 04:38 AM, Dmitry Khovratovich wrote:
>> Some clarifications due to the increased attention to the paper by
>>  Alwen and Blocki, which has been presented at the recent Eurocrypt
>>  CFRG meeting.
>> 
>> 1. One of security parameters of memory-hard password hashing 
>> functions is how much an ASIC attacker can reduce the area-time 
>> product (AT) of a password cracker implemented on ASIC. The AT is 
>> conjectured to be proportional to the amortized cracking cost per 
>> password.
>> 
>> 2. The memory-hard functions with input-independent memory access 
>> (such as Argon2i) have been known for its relatively larger 
>> AT-reduction factor compared to functions with input-dependent 
>> memory access (such as Argon2d). To mitigate this, the minimum of
>> 3 passes over memory for Argon2i was set.
>> 
>> 3. The best attacks on Argon2, published in the original design 
>> document in early 2015, have factor 1.3 for Argon2d and factor 3 
>> for Argon2i.
>> 
>> 4. The best attack found by Alwen and Blocki has factor 2 for 
>> Argon2i.
>> 
>> 5. In a bit more details, the advantage of the Alwen-Blocki attack
>>  is upper bounded by (M^{1/4})/36, where M is the number of 
>> kilobytes used by Argon2i. Thus the attack has factor 2 with
>> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
>> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
>> 
>> Best regards, Argon2 team
>> 
>> On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich 
>> <khovratovich@gmail.com <mailto:khovratovich@gmail.com>
> <mailto:khovratovich@gmail.com <mailto:khovratovich@gmail.com>>> 
> wrote:
>> 
>> Dear all,
>> 
>> as explained in a recent email 
>> http://article.gmane.org/gmane.comp.security.phc/3606 , we are 
>> fully aware of the analysis of Argon2i made by Corrigan-Gibbs et 
>> al. , we know how to mitigate the demonstrated effect, and have 
>> already made some benchmarks on the patch.
>> 
>> Soon after the Crypto deadline (Feb-9) we will develop a new 
>> release including code, rationale, and test vectors.
>> 
>> -- Best regards, the Argon2 team.
>> 
>> 
>> 
>> 
>> -- Best regards, Dmitry Khovratovich
>> 
>> 
>> _______________________________________________ Cfrg mailing list 
>> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg
>> 
> 
-

v2.23.0 | Report a Bug | By Email