Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
Paul Grubbs <pag225@cornell.edu> Fri, 12 February 2016 16:47 UTC
Return-Path: <pag225@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB101A6FB0 for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2016 08:47:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.58
X-Spam-Level:
X-Spam-Status: No, score=-3.58 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id asOgFm9Ui4Ty for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2016 08:47:43 -0800 (PST)
Received: from limerock04.mail.cornell.edu (limerock04.mail.cornell.edu [128.84.13.244]) by ietfa.amsl.com (Postfix) with ESMTP id E128B1A6FD0 for <cfrg@irtf.org>; Fri, 12 Feb 2016 08:47:33 -0800 (PST)
X-CornellRouted: This message has been Routed already.
Received: from exchange.cornell.edu (sf-e2013-02.exchange.cornell.edu [10.22.40.49]) by limerock04.mail.cornell.edu (8.14.4/8.14.4_cu) with ESMTP id u1CGlTiH002868 for <cfrg@irtf.org>; Fri, 12 Feb 2016 11:47:33 -0500
Received: from sf-e2013-08.exchange.cornell.edu (10.22.40.55) by sf-e2013-02.exchange.cornell.edu (10.22.40.49) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Fri, 12 Feb 2016 11:47:31 -0500
Received: from mail-wm0-f42.google.com (74.125.82.42) by exchange.cornell.edu (10.22.40.55) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Fri, 12 Feb 2016 11:47:31 -0500
Received: by mail-wm0-f42.google.com with SMTP id p63so27052300wmp.1 for <cfrg@irtf.org>; Fri, 12 Feb 2016 08:47:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=kqF9C6xi/bH6JL0+ibPckRn6gVC/na78uzFOxgHZVbE=; b=YUrvqIvtPTqwn9f4rjVeNLXp/unZYrz/JvIY5JB2e6efFD+xpNAUlmVIj0Qp/EvaqA ZMsC+ZshZZN/FmPEmNreKjxcwzjZbhaUHLj8l5A9XywIRFRCuYX/ExcnZzLlm1dihmzS ZGG4spgaMQkAtNrQ5EukGmTsI8D59pTychjwidxe7y0EMd6lulxLok9kASDVdVx9dMva BmGABAwyOiHsqetA3W/b0W+a2dFv7OWn2nm9MUpYGwvqg2HvJbgReLLoC8/TVJqLQxoV xpSSHhaZ/JIkvbICqeNahZyRWI79xC6zTnchKCgN1KdZMDwek7OdDaJstXnxUJZ6mNNu fZXw==
X-Gm-Message-State: AG10YOT+vsQzKUiGUytXHoL7VB8qN1S4p1hX0XgjomNK76eNPAFWJJF/Y7F1LMLtX4GfymNiVkWbzRHk72yYT22m2L69b9MVOuj3P3E0bIpFqtTFHtiogMPwDSNdhSnO/6Pb9ZSFMYrkgLfVATjwOOxLjKU=
X-Received: by 10.194.250.103 with SMTP id zb7mr2291692wjc.65.1455295650907; Fri, 12 Feb 2016 08:47:30 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.250.103 with SMTP id zb7mr2291654wjc.65.1455295650487; Fri, 12 Feb 2016 08:47:30 -0800 (PST)
Received: by 10.28.87.83 with HTTP; Fri, 12 Feb 2016 08:47:30 -0800 (PST)
In-Reply-To: <56BE045F.4060103@ist.ac.at>
References: <56BE045F.4060103@ist.ac.at>
Date: Fri, 12 Feb 2016 11:47:30 -0500
Message-ID: <CAKDPBw_0g=wLTpCpDWut63UBsxq6wwuVSx8OT0Ke7GK6Kd-Xig@mail.gmail.com>
From: Paul Grubbs <pag225@cornell.edu>
To: Joel Alwen <jalwen@ist.ac.at>
Content-Type: multipart/alternative; boundary="001a11c26cca4a7c72052b956c35"
Received-SPF: Neutral (sf-e2013-02.exchange.cornell.edu: 74.125.82.42 is neither permitted nor denied by domain of pag225@cornell.edu)
X-ORG-HybridRouting: 5ff639697076bd909f58308264f41b2d
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Z3HaQvZgPEEPkM_sQWsH626HzL0>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2016 16:47:46 -0000
Thank you for this post; the recent work in this area has been really fascinating. On Fri, Feb 12, 2016 at 11:12 AM, Joel Alwen <jalwen@ist.ac.at> wrote: > Hi, > > I thought some of you might be interested in Jeremiah Blocki and my > recent paper that just appeared on eprint > (http://eprint.iacr.org/2016/115). It complements the recent work on > data-dependent MHF (i.e. scrypt) by instead focusing on data > *independent* MHFs (e.g. Both Catena functions, Argon2i, all three > Balloon Hashing functions, etc.). Some of you may find it relevant to > recent discussion on the list about finding a password-hashing standard. > > In a nutshell we develop a new class of parallel evaluation algorithms > for several rather general classes of MHFs (including all those I just > listed) and show that the resulting memory complexity is a fair bit > lower then one might hope for when allowing parallelism (like in an > ASIC). Put differently, we give some better than hoped for > time-memory-trade-offs by using parallelism to evaluate several > instances of the MHF at once resulting in a low "Time X Memory" per > instance. In other words just the kind of algorithm one might find > useful for launching cheap(er) brute-force attacks on these iMHFs. > > >From a more theoretical perspective we also show a general lower-bound. > It states that no data-independent MHF (say doing 1-pass over n memory > blocks) can have even only Omega(n^2/log(n)) cumulative > memory-complexity (let alone the Omega(n^2) which people have been > shooting for up till now). > > So where do these results leave us? AFAIK the closest we've got to an > iMHF with a proof for large memory-complexity is the iMHF in my paper > with Vladimir Serbinenko. Unfortunately the construction is based on a > recursively built graph. What that boils down to is that if we want to > compute the incoming edges of a node (i.e. which blocks from memory go > into the next call to the compression function H) the straightforward > computation (unravelling the recursion) takes log(n) operations. But > really we want constant time (say a single call to a compression > function + a mod operation as in scrypt) as otherwise the throughput of > any implementation is going to suffer. Also the proof only shows > something like Omega(n^2/log^10(n)) (with probably nasty constants) > which is asymptotically way better then any of above mentioned iMHFs but > actually pretty useless for practical parameters. I think its easy to > tighten the proof down to something closer to Omega(n^2/log^7(n)) but > thats still pretty unsatisfactory and any way it doesnt help making the > incoming-edges function easier to compute. > > Anyway I hope you enjoy the paper and that it provides a bit of fuel for > thought. :-) If anything, IMHO it points out room for a lot more work in > this area (both from a practical and theoretical point of view) before I > would feel confident in proposing a standard for wider adoption. > > - Joel > > > > > PS. What does the theoretical lower-bound mean for our search for a new > password-hashing standard? What can we still hope for? > > Here are a couple thoughts about those questions. > > 1) Well, we can always just ignore it if we find an iMHF which no one > manages to attack after a convincing amount of effort has been exerted. > After all we know efficient Random Oracles can't exist yet we still > effectively ask that our now hash function candidates to behave like > one. This route does seem to give up on proof based evidence for (at > least asymptotic) security though. > > 2) We could decide to settle for Omega(n^2/log(n)) assuming we can find > a clean, simple and strongly explicit iMHF with accompanying proof > matching this bound with small constants. (Notice that in the recent > scrypt paper we only show Omega(n^2/log^2(n)) so its not even clear that > a data-*dependent* MHF could break that bound.) > > 3) Alternatively, if we want to still shoot for a proof of Omega(n^2) > complexity, then one potential way to still get there could be to make > an analysis for concrete practical parameter ranges (rather then > asymptotic behaviour). The large constants in the lower-bound do not > rule this out. (Though the parameters of our evaluation algorithms for > almost all the iMHFs I listed above do rule this out for those > functions.) See figures in the paper... > > 4) Another less preferable way IMHO would be to increase the number of > inputs to the underlying hash function. (Something like the Single and > Double Buffer balloon hashing functions do as they use 21 inputs.) E.g. > I think the lower-bound lets us have Omega(n^2) memory-hardness if we > use order log(n) (or maybe log^2(n)) inputs to the hash function > (instead of a constant like 2 or 3 as in most current iMHFs). There are > at least two reasons why I'm personally not super in favour of this > approach though. Practically it means worse throughput for an > implementation as evaluating the hash function takes a lot longer now. > Theoretically I'd also call it cheating because it really boils down > making log(n) calls to a compression function (as was pointed out > already in a couple papers on the subject). In particular, really we > should be looking at MHFs defined over compression functions, not > arbitrary input length hashes. But if look at what happens to any proof > of memory-hardness for the high-indegree MHF when view the function as > being over a compression function then AFAIK the proof looses a > multiplicative cubic(!) of the indegree. So if we prove O(n^2) for an > MHF with d inputs to the hash function then I only see how to prove that > the same MHF viewed over the underlying compression function really has > O(n^2/d^3) complexity. (See Alwen Serbinenko for how that works.) > > > Also I'd love to hear other ideas for how to deal with the lower-bound > if you have any! > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Memory-efficient evaluation of data-indepe… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Paul Grubbs
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox
- Re: [Cfrg] Memory-efficient evaluation of data-in… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox