Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
Dmitry Khovratovich <khovratovich@gmail.com> Wed, 15 June 2016 14:42 UTC
Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D936A12D5C2 for <cfrg@ietfa.amsl.com>; Wed, 15 Jun 2016 07:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UnbEcy5pWsxq for <cfrg@ietfa.amsl.com>; Wed, 15 Jun 2016 07:42:44 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94D2412B03E for <cfrg@irtf.org>; Wed, 15 Jun 2016 07:42:43 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id f30so13942926ioj.2 for <cfrg@irtf.org>; Wed, 15 Jun 2016 07:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=JHiEfUFlZFAOiAzEoktqfMd89IoRfRtm/b9cctLfG5c=; b=d/kyQIAOSIPvsClF9efMI5WClyR8T5zumrsvEUwpFjAfx1qS1yIl8qZFuhM2QaqbFc Paae3SDebkWvxINvY6A1ax8aZ/GO3JHtW1NAHJiT/vGoOOsvqFQxlfkXYZ/zdAuLfmTg 7N3hq4WZ30fvWDF8DywBWfdPYjL87OaSvCuzM2pqxVsILRkvUXuCjf/wz5JRWc8tHe/u Fp9CklEoWhd6xp3WneYH3dFXgv8LqQ+HwTTeYR8/NRRlSy5RxnX6tgpMUOk8Lka+cev8 ofHmzmtiPAGYwnLMDcLTg0k/fiI072te16i+0axHAQyquUF/VtrF9rHpIaYZKXFyrcIF MfhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=JHiEfUFlZFAOiAzEoktqfMd89IoRfRtm/b9cctLfG5c=; b=moHN3TzAR/lG3AeFKXZfVO+GOZMUTHjWDNpMb9/tqnYmUaN/+api/EntYhe7JY4v8b 0xc1kTIwnT6sFk9q+sK9KZbx1bnZcYD5edGf20gUy+3u25xBYQ9VqK70US2jN2VVrDLS 5wRiFJuDs4izdDVsqonowxoWhwC8nvZV4fuCKfEEa2PNedONEsnvoboZrlUkDPwCZs7b wRg3IJJcYreSWeiHwGlyFILkZdhuibkNf+WbJtXLy73PJSDNVEhatgR6ykixdMsXuvGK dwhTPLqPMmeMbVYmkN++BdtGGfW811BnAt/WLCW5d7sbX6PwGXpeWGFhMWzNagmw0JSy STfw==
X-Gm-Message-State: ALyK8tIAf/XVTK5oPyX95fQU0ImRIQ5yBHEz1GRBP93L/fIimPFrR5m+cRcLLpW6w/9SEqUfIgbF6CXhVXhq0A==
X-Received: by 10.107.47.152 with SMTP id v24mr45637322iov.8.1466001762619; Wed, 15 Jun 2016 07:42:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.115.65 with HTTP; Wed, 15 Jun 2016 07:42:27 -0700 (PDT)
In-Reply-To: <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com>
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Wed, 15 Jun 2016 16:42:27 +0200
Message-ID: <CALW8-7LYC7kzN98n-rwJLBZufUtukFepKveBFujycEjU7F65Yg@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/mixed; boundary="001a1137a4484dc31c0535522226"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ZV5dfho-vokM1Yb8Oy0eCXcPf-0>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
X-Mailman-Approved-At: Thu, 16 Jun 2016 05:41:42 -0700
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 14:42:48 -0000
Dear chairs and others, we would like to proceed with the Argon2 draft unless there are strong objections. We have expanded the security section of the document to inform the user of the potential time-memory tradeoffs given the recent analysis papers. "Paranoid" parameter sets have been recommended as well. The final draft would then be presented in Berlin. Best regards, the Argon2 team. On Sat, May 21, 2016 at 10:38 AM, Dmitry Khovratovich < khovratovich@gmail.com> wrote: > Some clarifications due to the increased attention to the paper by Alwen > and Blocki, which has been presented at the recent Eurocrypt CFRG meeting. > > 1. One of security parameters of memory-hard password hashing functions is > how much an ASIC attacker can reduce the area-time product (AT) of a > password cracker implemented on ASIC. The AT is conjectured to be > proportional to the amortized cracking cost per password. > > 2. The memory-hard functions with input-independent memory access (such as > Argon2i) have been known for its relatively larger AT-reduction factor > compared to functions with input-dependent memory access (such as Argon2d). > To mitigate this, the minimum of 3 passes over memory for Argon2i was set. > > 3. The best attacks on Argon2, published in the original design document > in early 2015, have factor 1.3 for Argon2d and factor 3 for Argon2i. > > 4. The best attack found by Alwen and Blocki has factor 2 for Argon2i. > > 5. In a bit more details, the advantage of the Alwen-Blocki attack is > upper bounded by (M^{1/4})/36, where M is the number of kilobytes used by > Argon2i. Thus the attack has factor 2 with memory up to 16 GB, and less > than 1 for memory up to 1 GB. Details in Section 5.6 of > https://www.cryptolux.org/images/0/0d/Argon2.pdf > > Best regards, > Argon2 team > > On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich < > khovratovich@gmail.com> wrote: > >> Dear all, >> >> as explained in a recent email >> http://article.gmane.org/gmane.comp.security.phc/3606 , we are fully >> aware of the analysis of Argon2i made by Corrigan-Gibbs et al. , we know >> how to mitigate the demonstrated effect, and have already made some >> benchmarks on the patch. >> >> Soon after the Crypto deadline (Feb-9) we will develop a new release >> including code, rationale, and test vectors. >> >> -- >> Best regards, >> the Argon2 team. >> > > > > -- > Best regards, > Dmitry Khovratovich > -- Best regards, Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paul Grubbs
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document marshalko_gb
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG do… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] adopting Argon2 as a CFRG document Jeremiah Blocki
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Stefano Tessaro