Re: [Cfrg] Balloon-Hashing or Argon2i.
Stefano Tessaro <tessaro@cs.ucsb.edu> Mon, 15 August 2016 06:17 UTC
Return-Path: <stefano.tessaro@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC54712D59F for <cfrg@ietfa.amsl.com>; Sun, 14 Aug 2016 23:17:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0R7s-9_yApU for <cfrg@ietfa.amsl.com>; Sun, 14 Aug 2016 23:17:55 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF26312B02E for <cfrg@irtf.org>; Sun, 14 Aug 2016 23:17:54 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id n59so61337386uan.2 for <cfrg@irtf.org>; Sun, 14 Aug 2016 23:17:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=CMJi7gx05trkTszL+L68brJoo/wp/OnYvTbCqswBdP8=; b=Xsu9fLzXs4kK/uCINm9xntrri1dWLJRwHU6hNaGAo1tIqcPq0v0kuHVhJ4k81XkErx Boh1PWmoePzh6OxJy5NxLLPMmlITpSerlpercR5o5hiPe/c8JT8boVD67H3SHhsMfT7i o2zba1TngQEL/B2p1yrrDMNQcNATfh4aH3Noq6htJTYloUsMaQnF8KiadqOH6Bcd7ZYJ u/fMUMEN50Qpr8Q6PmXR28LANrQE6UoHGJtK8umxfpvdBYLT1O9M/QT1oRs/scxAuQqS n10/KzZFTmwUIeaRczupWHGnODry1Vz2rSf2O1RXTUX2DmtJRr/iqXJpkoSk5LkJ0fYF TAOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=CMJi7gx05trkTszL+L68brJoo/wp/OnYvTbCqswBdP8=; b=EZwNqw6BiBgU/VSE85AjjW7/ZPUA1995wXP5Ft+pg5PkemgkQ2wziZKc0O1dAXQPDH D8JWFpEIj7OKk+WjA0Na6aTUyhRjhC+LWrpyzSFER6blFb586Wtln4ykLZNYYCQfnqZY MJvqeXraYRtRVXiLX2nYXMgowBYym7npm0M+Xf5EgknuXKkx21rOpq21VhULiARRULAf 2dxv8bTqLJ0wuLpGPLCmQyD4ReKisiV/zG1C8zv9hxWiYxURyfl/wz1liNTv4BkU7JtC K2pWGT0QqsfPZZoiG2UgoVjSOhEhpPRlAjoj81kZzlWRAgzXOnVMeC6z/UJz6mHvGJUy okPw==
X-Gm-Message-State: AEkoouuXT6u94QmFA6I2UjG4Z8FOPxyn2WxwV8Kd0Vv6On/u/6US+d1391ltovdWLqOnupVvZL7UO+MZ3sG2sQ==
X-Received: by 10.31.109.193 with SMTP id i184mr6554919vkc.10.1471241873965; Sun, 14 Aug 2016 23:17:53 -0700 (PDT)
MIME-Version: 1.0
Sender: stefano.tessaro@gmail.com
Received: by 10.159.34.237 with HTTP; Sun, 14 Aug 2016 23:17:53 -0700 (PDT)
In-Reply-To: <CAGiyFdf3aZ7neHfptnha47FfucKXWJrbTziTWBHAhR0o-C4Bcg@mail.gmail.com>
References: <CAMgMiWcWts5LWsLD2bW8s1g1M0ZkRRc_PO-z2iE-iEoeTMAFRA@mail.gmail.com> <CAGiyFdf3aZ7neHfptnha47FfucKXWJrbTziTWBHAhR0o-C4Bcg@mail.gmail.com>
From: Stefano Tessaro <tessaro@cs.ucsb.edu>
Date: Sun, 14 Aug 2016 23:17:53 -0700
X-Google-Sender-Auth: QsMBqjmJEp3550nwmVtuG0G_acI
Message-ID: <CAEB_pdfpOji2KhkFYrFJCpmYirspSdfXvuX2Jfy+8vRcDhDEEQ@mail.gmail.com>
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NcUttT-V4eb-rP2Bj6QfuGOtBUs>
Cc: krzysztof pietrzak <krzpie@gmail.com>, cfrg@irtf.org
Subject: Re: [Cfrg] Balloon-Hashing or Argon2i.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 06:17:57 -0000
Hi Jean-Philippe,
> In the same spirit, I've often heard members of the theoretical crypto
> community arguing "I don't understand why AES is used, there's no security
> proof and it's only heuristical security." Well then.
I don't want to be nitpicking too much, but this is different. There
may be no security proofs for AES, but there are well-defined security
notions (concrete, not asymptotic) for which AES is not broken, and
these notions are pleasing both for applied and (practice-oriented)
theoretical cryptographers. One should probably differentiate between
different types of theoretical cryptographers --many of us here on
CFRG are completely comfortable with assuming AES satisfies a wide
range of properties.
Rather, an analogous situation to the AB16 attacks in this context
would be if we (hypothetically, for the sake of example) had a
O(2^{3/4n}) key-recovery attack against a generalized parameterized
version of AES with key and block length n, and we were debating
whether the hidden constant is smaller than 2^{40} for n = 128 on a
realistic real-world parallel architecture. It is not the type of
question with an easy answer.
Concretely, for memory hardness, I think there are two questions:
= Are the metrics in the [AB16] attacks realistic or not? If not
(which seems to be the claim), can we state precise metrics that would
be appealing to practitioners and that theoreticians can work with? I
don't think the issue is asymptotic vs concrete (every number can be
interpreted as a function of n or as a concrete value), but rather
*what* is being measured.
= Given a concrete metric we can all be happy with, can we translate
the [AB16] attacks into these metrics, and can they be optimized for
appropriate concrete parameters?
Note that I have no stakes in the attacks here, even though I do work
on proofs for memory-hard functions. Still, I would just prefer
important ideas (on both fronts) not to get lost in translation, as
progress seems to be constantly happening on both fronts, and the
theory community is gaining increasing interest in memory hardness.
If we end up with constructions as simple as Argon2i, but with
provable security in a meaningful metric, I don't quite see the harm.
(And we do have proofs for scrypt/Argon2d already.) It would be great
however to agree on such metric.
Best,
Stefano
--
Stefano Tessaro
Assistant Professor of Computer Science
University of California, Santa Barbara
http://cs.ucsb.edu/~tessaro/
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Joel Alwen
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Blocki, Jeremiah Martin
- Re: [Cfrg] Balloon-Hashing or Argon2i. krzysztof pietrzak
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Stefano Tessaro
- Re: [Cfrg] Balloon-Hashing or Argon2i. Jean-Philippe Aumasson
- Re: [Cfrg] Balloon-Hashing or Argon2i. Andy Lutomirski
- Re: [Cfrg] Balloon-Hashing or Argon2i. krzysztof pietrzak
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich
- Re: [Cfrg] Balloon-Hashing or Argon2i. Bill Cox
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich
- Re: [Cfrg] Balloon-Hashing or Argon2i. Paul Grubbs
- [Cfrg] Balloon-Hashing or Argon2i. Joel Alwen
- Re: [Cfrg] Balloon-Hashing or Argon2i. Henry Corrigan-Gibbs
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich
- Re: [Cfrg] Balloon-Hashing or Argon2i. Henry Corrigan-Gibbs
- Re: [Cfrg] Balloon-Hashing or Argon2i. Dmitry Khovratovich