IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document

Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Tue, 31 May 2016 10:44 UTC

Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6DD12D738 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 03:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bapogLsZ7ap for <cfrg@ietfa.amsl.com>; Tue, 31 May 2016 03:44:27 -0700 (PDT)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165F712D739 for <cfrg@irtf.org>; Tue, 31 May 2016 03:44:27 -0700 (PDT)
Received: by mail-wm0-x22c.google.com with SMTP id n129so124481119wmn.1 for <cfrg@irtf.org>; Tue, 31 May 2016 03:44:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=S8B8HClCb7Wff0SrNmBCV41a4CrPynJPNp+W9gNhyYo=; b=pqmvPSdc3QOEfTJgtzoaT2SGjq0ORT2k3uPF9bPhOZWTwQYhEQ/G081echPYRuc5Bb wSV8x08hjaE7rkDl1M5ROasIXMYxzVxQX12nWz4ROeUnGrLGIiMRYNpBsBlXr/RXO+p5 /UC9HoGmZ4D0j1c68l2sBNCnVS3mlQ+QZ9PfG4BIeETEvTJoaz6O1QRP77Io2LzzsohT 39GiObuvaINXKzremYhIetnODP8h2IW9CQPTrKK90FVVK9XXBmRavFvpd3y2ex9ohOGF tCTwZE4JbRl/OThtPZEn2Clfsc77BtfRfXNG/zygxxo0SeGe0ufwDxEMu+3IHX8Cxmez KtnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=S8B8HClCb7Wff0SrNmBCV41a4CrPynJPNp+W9gNhyYo=; b=daBaEIqOS3LAe9wtXXzXYsfYUEdR3qGlkeUOiX/DWOdD66UxYAURm/39JZ5dFZqtcZ WVvnwDUImMXIGk7Z5F4EePiMW9wAU8mj73ojcC8pQHfbbo23k0t7IxgW4c4lhlt22XKq lAax5x/UMjOkddHDyBxjKsXA/9jNPzkoqNVot6pea7Or6AwFayXk+MMfEoNULUmS75LQ jWAMXxyhRW9tYhwOvLsO0gV03T32bK7FmLBjqHYeQRfTWmyGxsW+HcCESkWmwfl9ngBS IqJrMzcAxd8D3ETs8PG1j/OWo2Dc0LNfncw8nB7tiyANJYF7LMiIp80C7wxkgnuE6EUe Cbxg==
X-Gm-Message-State: ALyK8tJI3v47b7Aa+OkBO3MDbTF9zdBlAzBq8acBYbv20ijPi5XNT9ufO/ESo3sN88Rzz0Yc5MaBJ5n8mLsirw==
X-Received: by 10.194.141.144 with SMTP id ro16mr34108030wjb.40.1464691465477; Tue, 31 May 2016 03:44:25 -0700 (PDT)
MIME-Version: 1.0
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com> <57460090.9040901@ist.ac.at> <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com> <574D60C5.80309@ist.ac.at>
In-Reply-To: <574D60C5.80309@ist.ac.at>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Tue, 31 May 2016 10:44:15 +0000
Message-ID: <CAGiyFdfEjQ3H6HJxSqn1-cmk3fySWepNso1264nt24z0kMg7ig@mail.gmail.com>
To: Joel Alwen <jalwen@ist.ac.at>, Dmitry Khovratovich <khovratovich@gmail.com>, cfrg@irtf.org, Alex Biryukov - UNI <alex.biryukov@uni.lu>, Daniel Dinu <dumitru-daniel.dinu@uni.lu>
Content-Type: multipart/alternative; boundary="089e0122989e8165610534210e90"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dHXxUmjZwzuGXnRgKjac0T78tWw>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 10:44:30 -0000

I haven't read the AB16 paper, but I observe that

1) Argon2 designers say "the AB16 attack is less efficient than known
attacks"

2) Joel says "the AB16 attack is more efficient than known attacks"

Are you guys both right for different notions of "efficient", or is one of
your analyses wrong?

Specifically: Joel, is there something that strikes you as incorrect in the
analysis in 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf?



On Tue, May 31, 2016 at 12:00 PM Joel Alwen <jalwen@ist.ac.at> wrote:

> > Furthermore, my understanding is that the Alwen-Blocki attack on
> > Argon2i isn't more efficient than attacks already documented, as
> > discussed in 5.6 in
> > https://www.cryptolux.org/images/0/0d/Argon2.pdf. So I don't see
> > these new results as a showstopper.
>
> Actually the Alwen-Blocki is more efficient then other known attacks
> both in terms of asymptotic and exact constants for interesting
> parameter ranges. This is already true for the worst case analysis in
> the paper. (See my earlier email in this thread for and references on
> this.) Moreover there is good reason to believe that it will behave far
> better in practice and that it can also be further improved.
>
> To be clear: I am neither advocating for nor against Argon2i (or any
> other algorithm). My intention at this point is to clarify what is
> actually known about Argon2i.
>
>
> As to why I responded positively to Kenny's question about having a new
> PHC *in an ideal world*; the reason is that recent results both in terms
> of attacks and security proofs all point towards a new desirable
> property of an iMHF. That is the underlying DAG of the iMHF should have
> a specific combinatoric property (called depth-robustness). Not only is
> being depth-robust necessary to avoid the AB16 attack, it also allows us
> to make provable security type statements. However constructing the most
> efficient & simple such graphs is not a trivial task, especially not
> ones which result in the strongest possible provable security
> statements. As such a, concerted effort to produce the best such graph
> combined with other properties we have learned about in the previous PHC
> would likely result in a significantly improved iMHF compared to
> everything we currently have available. Of course we may not want to
> wait for this, nor spend the energy on it. My reasoning and response
> were mindful of the "in an ideal world" part of the question.
>
> - joel
>
>  On Wed, May 25, 2016 at 9:44 PM Joel Alwen <jalwen@ist.ac.at
> > <mailto:jalwen@ist.ac.at>> wrote:
> >
> >
> >> 3. The best attacks on Argon2, published in the original design
> >> document in early 2015, have factor 1.3 for Argon2d and factor 3
> >> for Argon2i.
> >>
> >> 4. The best attack found by Alwen and Blocki has factor 2 for
> >> Argon2i.
> >>
> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack
> >>  is upper bounded by (M^{1/4})/36, where M is the number of
> >> kilobytes used by Argon2i. Thus the attack has factor 2 with
> >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
> >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
> >
> > I believe the results of Alwen-Blocki (AB16) actually show that at
> > least 6 passes over memory are required for the above suggested
> > parameters. - See Corollary 5.6 in [1] - See Figure 1(a) in [1] and
> > paragraph titled "Parameter Optimization"
> >
> > [1] https://eprint.iacr.org/2016/115
> >
> > Moreover, I think it important to note that the analysis of the
> > attack complexity in [1] is very "worst case" in several ways and
> > that this leaves room for significantly improvements in practice.
> > And of course the analysis was not optimized for concrete parameters
> > such as those mentioned above.
> >
> > Basically I think there are several good reasons to believe that 6
> > passes over memory are also not sufficient to avoid the attack.
> >
> > - Joel
> >
> >
> >
> >
> > On 05/21/2016 04:38 AM, Dmitry Khovratovich wrote:
> >> Some clarifications due to the increased attention to the paper by
> >>  Alwen and Blocki, which has been presented at the recent Eurocrypt
> >>  CFRG meeting.
> >>
> >> 1. One of security parameters of memory-hard password hashing
> >> functions is how much an ASIC attacker can reduce the area-time
> >> product (AT) of a password cracker implemented on ASIC. The AT is
> >> conjectured to be proportional to the amortized cracking cost per
> >> password.
> >>
> >> 2. The memory-hard functions with input-independent memory access
> >> (such as Argon2i) have been known for its relatively larger
> >> AT-reduction factor compared to functions with input-dependent
> >> memory access (such as Argon2d). To mitigate this, the minimum of
> >> 3 passes over memory for Argon2i was set.
> >>
> >> 3. The best attacks on Argon2, published in the original design
> >> document in early 2015, have factor 1.3 for Argon2d and factor 3
> >> for Argon2i.
> >>
> >> 4. The best attack found by Alwen and Blocki has factor 2 for
> >> Argon2i.
> >>
> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack
> >>  is upper bounded by (M^{1/4})/36, where M is the number of
> >> kilobytes used by Argon2i. Thus the attack has factor 2 with
> >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
> >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
> >>
> >> Best regards, Argon2 team
> >>
> >> On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich
> >> <khovratovich@gmail.com <mailto:khovratovich@gmail.com>
> > <mailto:khovratovich@gmail.com <mailto:khovratovich@gmail.com>>>
> > wrote:
> >>
> >> Dear all,
> >>
> >> as explained in a recent email
> >> http://article.gmane.org/gmane.comp.security.phc/3606 , we are
> >> fully aware of the analysis of Argon2i made by Corrigan-Gibbs et
> >> al. , we know how to mitigate the demonstrated effect, and have
> >> already made some benchmarks on the patch.
> >>
> >> Soon after the Crypto deadline (Feb-9) we will develop a new
> >> release including code, rationale, and test vectors.
> >>
> >> -- Best regards, the Argon2 team.
> >>
> >>
> >>
> >>
> >> -- Best regards, Dmitry Khovratovich
> >>
> >>
> >> _______________________________________________ Cfrg mailing list
> >> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> > https://www.irtf.org/mailman/listinfo/cfrg
> >>
> >
> -
>

v2.23.0 | Report a Bug | By Email