Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Tue, 04 July 2017 14:06 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 965A5129B30; Tue, 4 Jul 2017 07:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OT9sknmIc9uC; Tue, 4 Jul 2017 07:06:25 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00061.outbound.protection.outlook.com [40.107.0.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89BCD1320B3; Tue, 4 Jul 2017 07:06:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bR+KmH9PF9Y/mKw1doRTrglrsy6S0o2b/XdKye7bfdM=; b=JRbB142rGAbmXyNLeiEmgN7THXfyWbIuwocGeOUEnUStIYAA+HMaKrXCo1oFLz8TAEMeAuXbn2eCuSWOjvQokywLNxruWJ6yGjnDCyw9FcwbeN21qC7Vx6bAVBOcr87O68c31gZf1jW76FDHdPn9boFSfo+JLjvJ3se26JFqeww=
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1907.eurprd03.prod.outlook.com (10.168.3.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1220.11; Tue, 4 Jul 2017 14:06:09 +0000
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::482:61a:3f1b:be7a]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::482:61a:3f1b:be7a%14]) with mapi id 15.01.1220.018; Tue, 4 Jul 2017 14:06:08 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "draft-irtf-cfrg-argon2@ietf.org" <draft-irtf-cfrg-argon2@ietf.org>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt
Thread-Index: AQHSpud0G7Nvk2NWAEWKLkFqd0wSnqGoglCAgH4EpoCAHdlfgA==
Date: Tue, 04 Jul 2017 14:06:08 +0000
Message-ID: <D5815D6C.97F14%kenny.paterson@rhul.ac.uk>
References: <149061159741.30566.11599293166376872082@ietfa.amsl.com> <CALW8-7+BL5dLJiTh_yn_OD8pNNwLvEz5ZPhqK=-TfUH3xvohBg@mail.gmail.com> <D56853D6.96722%kenny.paterson@rhul.ac.uk>
In-Reply-To: <D56853D6.96722%kenny.paterson@rhul.ac.uk>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=rhul.ac.uk;
x-originating-ip: [134.219.227.30]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1907; 7:kt1u8aTkQK0xuzIwxmneyAqDlxgfQJUhqlG3sNtC5QxTMwzhSIYU0kb8Sxr5PjBJhwkjmHaEba4+FkfZ1szFkutm1rwUEqJlOVqhHzkiY6CSQFehrAqm8XFVwWhi3MH9WmQkcGKhQ818x7Sxt2z4tivEOXvMvGtqzRLBiubHdfqhYMyoLh5b9pi8Q1htuz6gt7I/ohIGhPwlcZCHFLmUfyIevpRkuf6Ezz+I+aXzVU4yfTKcDiK2GygxpHRJCo+iW4aluNBO7xyfIa+TwwooPJ6NPfrtnZYp/dmKQs/5rwAZewwyEghIC0uRYySPLs15rGwAkkYmdBW8OyI3Wy6xQ4DfTPaYXx7By3hNvzwsac9uq1zTNseGurybFRGNYpLbD2a/XHRcOuSpaRXXKzPxKnvYePkEfM9bgkPo2g2o8trXjgtbhLHxDWmROgkmIww4dIB00xrJCK/1IomnFJvHI4Ir5ld+JqOQFbJ+P1bv6v7I6TMh9faXUvYoCmUlLqV/ArmJWaZWwt6ox/lvkWfV/grsRlwMG+EBVNHsFNXMEFa6mEUkAnhX36IaxoooRWIbub09gYc3ZZNDA1/h45fK+QO0K2p8PGneFx58MIeOIulWkbezMkrJQ7X/jJwaQ1nXsp1WqiuQYDQE54ZkkyswUgGVi38BLjsrBIbz3ZbZ3F4nRrkXhQPd6x/QmHK38grYi1dco7jMPnhkdrhPMFqMVg/4Y9NMN0TFLaZT/1QrBmtivrI7Qv7nseIxmQSzw/VEExQGynvVfcuHlKHHG7Fqbxnxb5GjhkTyZQN6wLMA7Cs=
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(39400400002)(39850400002)(39840400002)(39450400003)(39410400002)(377424004)(24454002)(377454003)(25786009)(53546010)(4326008)(3280700002)(66066001)(86362001)(3660700001)(551544002)(2900100001)(6506006)(6486002)(5660300001)(4001350100001)(76176999)(54356999)(50986999)(413944005)(966005)(72206003)(36756003)(478600001)(2906002)(8676002)(81166006)(8936002)(189998001)(230783001)(2351001)(14454004)(7736002)(74482002)(6512007)(5250100002)(305945005)(2950100002)(42882006)(6306002)(6916009)(99286003)(53936002)(6436002)(3846002)(6116002)(102836003)(5640700003)(450100002)(2501003)(110136004)(6246003)(38730400002)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1907; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-ms-office365-filtering-correlation-id: e7998bf7-19a9-458a-c5ab-08d4c2e5d1a0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:AM4PR0301MB1907;
x-ms-traffictypediagnostic: AM4PR0301MB1907:
x-microsoft-antispam-prvs: <AM4PR0301MB1907F63CB37314540E88AB5DBCD70@AM4PR0301MB1907.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(125551606395959)(278178393323532)(158342451672863)(120809045254105)(236129657087228)(192374486261705)(48057245064654)(100405760836317)(148574349560750)(92977632026198);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(20161123560025)(20161123555025)(20161123558100)(20161123562025)(201703131423075)(201702281528075)(201702281529075)(201703061421075)(201703061406153)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR0301MB1907; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR0301MB1907;
x-forefront-prvs: 0358535363
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <B8BE7671DCCF954AA6BC9B445AE83C16@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jul 2017 14:06:08.5731 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1907
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TOxcs1qbgey5ie9T5ZjNKwORwNI>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 14:06:28 -0000

Dear Argon2 authors,


You will have seen the two recent CFRG review panel reviews for
draft-irtf-cfrg-argon2-02.txt:

https://www.ietf.org/mail-archive/web/cfrg/current/msg09199.html

https://www.ietf.org/mail-archive/web/cfrg/current/msg09195.html


- thanks to Russ Housley and Stanislav Smyshlyaev for preparing these.

Please would you take these reviews into account when preparing the next
version of your draft? It would helpful if you would post a response
explaining how you have addressed the comments when you are ready.

(Note also that there was a cutoff for new drafts this Monday past because
of the upcoming IETF meeting.)

Regards

Kenny (for the chairs)


On 15/06/2017 15:16, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> wrote:

>Dear CFRG,
>
>Dmitry Khovratovich kindly presented the latest draft for Argon2 at the
>interim CFRG meeting in Paris. For those of you who could not attend, his
>slides can be found here:
>
>https://www.ietf.org/proceedings/interim-2017-cfrg-01/slides/slides-interi
>m
>-2017-cfrg-01-sessa-argon2-00.pdf
>
>
>My sense from the constructive discussion that took place after Dmitry's
>talk in Paris was that there are now no remaining serious objections to
>the recommended parameters in the latest version of the draft:
>
>https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/
>
>
>If there are further substantive technical comments from the CFRG
>membership, the chairs would be grateful if they could be brought to the
>list in the next few days.
>
>Assuming we have indeed reached consensus, then we will be in a position
>to move to last call for this ID.
>
>Thanks,
>
>Kenny (for the chairs)
>
>
>On 27/03/2017 11:51, "Cfrg on behalf of Dmitry Khovratovich"
><cfrg-bounces@irtf.org on behalf of khovratovich@gmail.com> wrote:
>
>>Some comments on a new draft:VariantsArgon2 fills M bytes of memory in T
>>iterations over
>> it, with M and T being the parameters supplied to Argon2 and determining
>>its performance. Speed on a typical server is linear in the MT product.
>>
>>The Argon2 family has three variants: I, D, and
>> ID, which differ in the way of reusing memory that has been filled. The
>>I variant makes queries with predictable addresses, whereas D determines
>>the addresses on the fly depending on the current state (and thus the
>>password). The ID variant follows I for the
>> first half of the memory used and D for the rest and while overwriting.
>>Side-channelsThe side-channel attacks, which are of still rising
>> concern in the security community, are applicable to the D variant as
>>the memory addresses and thus information about the password or other
>>secret inputs can be determined from the timing leaks. The I variant is
>>completely invulnerable to this attack, and
>> the ID variant provides only a constant factor improvement for the
>>attacker.
>>Hardware and tradeoffsThe M and T parameters determine the cost of
>>bruteforcing
>> passwords on custom hardware, which is proportional to M2T
>> if we follow the traditional time-area product metric. The time-memory
>>tradeoff analysis [2] shows that the bruteforce cost for the I variant
>>can be changed to M2T/Q(M,T)
>> for some quality function Q. For instance, Q(230,1)=5,
>> Q(230,4)=2.5.
>>
>>The D variant is invulnerable to the approach [2],
>> and the savings factor in the ID variant is upper bounded by factor 2
>>for all parameters.
>>Defender tradeoff and ultimate
>> recommendationsIn public and private conversations with security
>> architects in the industry we learned that the bottleneck in a system
>>employing the password-hashing function is the function latency rather
>>than memory costs. We then assume that a rational defender would like to
>>maximize the bruteforce costs for the attacker
>> equipped with a list of hashes, salts, and timing information, for fixed
>>computing time on the
>> defender’s machine.  In this assumption the defender keeps the MT
>>product constant and maximizes the losses M/Q(M,T).
>> The authors of [2] provides us with attack cost estimates for constant
>>MT = 228,230,232
>> (measured in iteration-bytes)
>>
>>We ultimately recommend the ID variant with T=1 and maximum M as a
>>default setting for all environments, which is secure
>> against side-channel attacks and prohibit adversarial advantage on
>>dedicated bruteforce hardware.
>>
>>
>>References[1]
>>“Efficiently Computing Data-Independent
>> Memory-Hard Functions” <http://eprint.iacr.org/2016/115.pdf>
>>[2]
>>“Towards Practical Attacks on
>> Argon2i and Balloon Hashing”  <http://eprint.iacr.org/2016/759.pdf>
>>
>>
>>
>>
>>
>>On Mon, Mar 27, 2017 at 12:46 PM, <internet-drafts@ietf.org> wrote:
>>
>>
>>A New Internet-Draft is available from the on-line Internet-Drafts
>>directories.
>>This draft is a work item of the Crypto Forum of the IETF.
>>
>>        Title           : The memory-hard Argon2 password hash and
>>proof-of-work function
>>        Authors         : Alex Biryukov
>>                          Daniel Dinu
>>                          Dmitry Khovratovich
>>                          Simon Josefsson
>>        Filename        : draft-irtf-cfrg-argon2-02.txt
>>        Pages           : 26
>>        Date            : 2017-03-27
>>
>>Abstract:
>>   This document describes the Argon2 memory-hard function for password
>>   hashing and proof-of-work applications.  We provide an implementer
>>   oriented description together with sample code and test vectors.  The
>>   purpose is to simplify adoption of Argon2 for Internet protocols.
>>
>>
>>The IETF datatracker status page for this draft is:
>>https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/
>>
>>There are also htmlized versions available at:
>>https://tools.ietf.org/html/draft-irtf-cfrg-argon2-02
>>https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-02
>>
>>A diff from the previous version is available at:
>>https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-argon2-02
>>
>>
>>Please note that it may take a couple of minutes from the time of
>>submission
>>until the htmlized version and diff are available at
>>tools.ietf.org <http://tools.ietf.org>.
>>
>>Internet-Drafts are also available by anonymous FTP at:
>>ftp://ftp.ietf.org/internet-drafts/
>>
>>_______________________________________________
>>Cfrg mailing list
>>Cfrg@irtf.org
>>https://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>>
>>
>>
>>
>>
>>-- 
>>Best regards,
>>Dmitry Khovratovich
>>
>>
>