Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Tue, 31 May 2016 07:49 UTC
Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409C312D0F2 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 00:49:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10vNg09PexzZ for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 00:49:43 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9430E12D6A7 for <cfrg@irtf.org>; Tue, 31 May 2016 00:49:42 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id n129so116749773wmn.1 for <cfrg@irtf.org>; Tue, 31 May 2016 00:49:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6hGscCLtBGr5qMoa0sAISA8PtqBhpz44vdFWFva2R48=; b=c/Xrn6x/hX4Lg5Ir91mhCaXy5YG7slUj+MtQFEUKklYqoZ/zazO9D1hNydfgiN3nh6 aalN94/I25P79uXpfE+Tvs3JOOczdC4nJcP/9/GS+qzirkOZkuqbcEOPvAEM8n8LImEC Niqjw16RH+V0T5XUBQ8vKR8Ixbqh/abYRYJRrK6nHaIdgR4o2apQqbgu+VJ41ofszJD9 XeCNX7GDrNuun9QHOHPFIr73GjFJv1z2KppZ3M1g+B3kUcnkJQrIowTPSn15TXGDL4DD GiiE0jgQCkFiAW6n5qGIRegfvOnTTVwAN4rPzHWN99WU0WDYZu9v/aBdmtGIXdPFFxUy faXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6hGscCLtBGr5qMoa0sAISA8PtqBhpz44vdFWFva2R48=; b=Hp7kcFKUUdHJlm+H+2HT6xb4g22Kgsxm/i8DK9j3N8DEVxeSHLCY63B6D2og+KY5rb owYsU4AFTxytQuwPHhJNmkhXSJPyu1suNHCwmgaxQ0+XpmubwYzQTavLdzkzMRSuEObS cvg7Xaj7Q46uIHTQqGvcdNaazVZfYGjEFUKGvh/XTFxFzQr/oBxNh9adyxi/5PQ4m0KU XmNTxmhIcf4zhLFNaTMdoYMX2zaxPXPKrrCgnsWHJ+jkvA/jNr195XSd25Hu8XEGGFYD S7Cx3fGK4G6dxxsBiyMz/ihaTDM/2+dxtM3KP//kuFCZVd62zwHatojKSk/AuuDMYElw 3SIg==
X-Gm-Message-State: ALyK8tLjyEL4I22BJVbXUEFP30R1HoE4SISgq73lFOnaVLwfmdA/KFiDwaDbNzHs0Ewg/Kcffo3CaHNxwhOqpw==
X-Received: by 10.28.153.147 with SMTP id b141mr14745130wme.90.1464680980989; Tue, 31 May 2016 00:49:40 -0700 (PDT)
MIME-Version: 1.0
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com> <57460090.9040901@ist.ac.at>
In-Reply-To: <57460090.9040901@ist.ac.at>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Tue, 31 May 2016 07:49:30 +0000
Message-ID: <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com>
To: Joel Alwen <jalwen@ist.ac.at>, Dmitry Khovratovich <khovratovich@gmail.com>, cfrg@irtf.org, Alex Biryukov - UNI <alex.biryukov@uni.lu>, Daniel Dinu <dumitru-daniel.dinu@uni.lu>
Content-Type: multipart/alternative; boundary="001a114b373494cc0905341e9d2f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/clJclzsH82siLRxPg1C16wA4G18>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 07:49:45 -0000
Hi, I've been told that at the latest CFRG meeting, someone suggested to re-run PHC. I wasn't there so I don't know if it was serious or just a joke, but as lead organizer of PHC I confirm that this won't happen. Furthermore, my understanding is that the Alwen-Blocki attack on Argon2i isn't more efficient than attacks already documented, as discussed in 5.6 in https://www.cryptolux.org/images/0/0d/Argon2.pdf. So I don't see these new results as a showstopper. I therefore totally support Argon2 standardization efforts. Best, JP On Wed, May 25, 2016 at 9:44 PM Joel Alwen <jalwen@ist.ac.at> wrote: > > > 3. The best attacks on Argon2, published in the original design > > document in early 2015, have factor 1.3 for Argon2d and factor 3 for > > Argon2i. > > > > 4. The best attack found by Alwen and Blocki has factor 2 for > > Argon2i. > > > > 5. In a bit more details, the advantage of the Alwen-Blocki attack > > is upper bounded by (M^{1/4})/36, where M is the number of kilobytes > > used by Argon2i. Thus the attack has factor 2 with memory up to 16 > > GB, and less than 1 for memory up to 1 GB. Details in Section 5.6 of > > https://www.cryptolux.org/images/0/0d/Argon2.pdf > > I believe the results of Alwen-Blocki (AB16) actually show that at least > 6 passes over memory are required for the above suggested parameters. > - See Corollary 5.6 in [1] > - See Figure 1(a) in [1] and paragraph titled "Parameter Optimization" > > [1] https://eprint.iacr.org/2016/115 > > Moreover, I think it important to note that the analysis of the attack > complexity in [1] is very "worst case" in several ways and that this > leaves room for significantly improvements in practice. And of course > the analysis was not optimized for concrete parameters such as those > mentioned above. > > Basically I think there are several good reasons to believe that 6 > passes over memory are also not sufficient to avoid the attack. > > - Joel > > > > > On 05/21/2016 04:38 AM, Dmitry Khovratovich wrote: > > Some clarifications due to the increased attention to the paper by > > Alwen and Blocki, which has been presented at the recent Eurocrypt > > CFRG meeting. > > > > 1. One of security parameters of memory-hard password hashing > > functions is how much an ASIC attacker can reduce the area-time > > product (AT) of a password cracker implemented on ASIC. The AT is > > conjectured to be proportional to the amortized cracking cost per > > password. > > > > 2. The memory-hard functions with input-independent memory access > > (such as Argon2i) have been known for its relatively larger > > AT-reduction factor compared to functions with input-dependent memory > > access (such as Argon2d). To mitigate this, the minimum of 3 passes > > over memory for Argon2i was set. > > > > 3. The best attacks on Argon2, published in the original design > > document in early 2015, have factor 1.3 for Argon2d and factor 3 for > > Argon2i. > > > > 4. The best attack found by Alwen and Blocki has factor 2 for > > Argon2i. > > > > 5. In a bit more details, the advantage of the Alwen-Blocki attack > > is upper bounded by (M^{1/4})/36, where M is the number of kilobytes > > used by Argon2i. Thus the attack has factor 2 with memory up to 16 > > GB, and less than 1 for memory up to 1 GB. Details in Section 5.6 of > > https://www.cryptolux.org/images/0/0d/Argon2.pdf > > > > Best regards, Argon2 team > > > > On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich > > <khovratovich@gmail.com <mailto:khovratovich@gmail.com>> wrote: > > > > Dear all, > > > > as explained in a recent email > > http://article.gmane.org/gmane.comp.security.phc/3606 , we are fully > > aware of the analysis of Argon2i made by Corrigan-Gibbs et al. , we > > know how to mitigate the demonstrated effect, and have already made > > some benchmarks on the patch. > > > > Soon after the Crypto deadline (Feb-9) we will develop a new release > > including code, rationale, and test vectors. > > > > -- Best regards, the Argon2 team. > > > > > > > > > > -- Best regards, Dmitry Khovratovich > > > > > > _______________________________________________ Cfrg mailing list > > Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg > > >
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paul Grubbs
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document marshalko_gb
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG do… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] adopting Argon2 as a CFRG document Jeremiah Blocki
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Stefano Tessaro