IETF Logo Mail Archive

Re: [Cfrg] Security analysis of scrypt

Paul Grubbs <pag225@cornell.edu> Wed, 10 February 2016 19:36 UTC

Return-Path: <pag225@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 666711B2F0A for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 11:36:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.58
X-Spam-Level:
X-Spam-Status: No, score=-3.58 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5_0GbLNCmhzd for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 11:36:13 -0800 (PST)
Received: from limerock02.mail.cornell.edu (limerock02.mail.cornell.edu [128.84.13.242]) by ietfa.amsl.com (Postfix) with ESMTP id E73551B2F07 for <cfrg@irtf.org>; Wed, 10 Feb 2016 11:36:12 -0800 (PST)
X-CornellRouted: This message has been Routed already.
Received: from exchange.cornell.edu (sf-e2013-10.exchange.cornell.edu [10.22.40.57]) by limerock02.mail.cornell.edu (8.14.4/8.14.4_cu) with ESMTP id u1AJa7X8026186 for <cfrg@irtf.org>; Wed, 10 Feb 2016 14:36:09 -0500
Received: from sf-e2013-10.exchange.cornell.edu (10.22.40.57) by sf-e2013-10.exchange.cornell.edu (10.22.40.57) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Wed, 10 Feb 2016 14:36:07 -0500
Received: from mail-wm0-f44.google.com (74.125.82.44) by exchange.cornell.edu (10.22.40.57) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Wed, 10 Feb 2016 14:36:07 -0500
Received: by mail-wm0-f44.google.com with SMTP id g62so41181895wme.0 for <cfrg@irtf.org>; Wed, 10 Feb 2016 11:36:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=L9UNccXekqKVrk0kpzVSHRFSr0bqMfTDs7wLDgxgdOE=; b=C6bSTBzk+XN7SzWIAgTeVutjNMBXPfXc1wttU0/EKnOCA6nyjqaeeUovXSXlwy5Z7P ZbcXgq4CvAPhHRVNXDbOHAUMBc++P/qVcpCrg+rHg92V4F64Ua+LZPFllmIdj6fXzsmS 96uBXxnUAUH3o2GGd8ulTuU8qSoYhN71bWLRHQ5mZTYDFj/Sb/dnHBOsAn9sD79dgze4 /ohPb5M4emuU9O4CXcNUhOVZZtK1nc6jSgp60xLg036juJu1oXrGGRFcjYtn1C2p3ukL 7cOUA25lBQ5BeOIcgV5T2DXncl48w6sQbGMEt8OuvQOl7V9BUivZiLzeD41DEWY0bVzI LU/A==
X-Gm-Message-State: AG10YOSwzxEeZHzMvxBg6Or2TogtA0we3hTBOHND1lwF/uaGKuJhzmRxn4aco3l95PDLl14h/8VVNUCgHgn6SwtjBWa18aVpZVqxcEZzwOTKyg0BCb0sbgFqtu/wnvd6RZ9aBq8IkUeds/C0r4D82KhTjSQ=
X-Received: by 10.28.111.91 with SMTP id k88mr12384638wmc.86.1455132967055; Wed, 10 Feb 2016 11:36:07 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.28.111.91 with SMTP id k88mr12384600wmc.86.1455132966641; Wed, 10 Feb 2016 11:36:06 -0800 (PST)
Received: by 10.28.87.83 with HTTP; Wed, 10 Feb 2016 11:36:06 -0800 (PST)
In-Reply-To: <CAEB_pdfZ1LjpEQ9Mc2REn2FF2BSTzz4vwGb2m3sAKgGGa2ovqQ@mail.gmail.com>
References: <CAEB_pdf5ckqEtwC9N80YhNoqh77xPY2zJfuWq_BUio9wqg+Qxg@mail.gmail.com> <aaae2181e7274ad1b469c0302e182c65@ustx2ex-dag1mb1.msg.corp.akamai.com> <CAKDPBw8QWAU4U3VADiQ-nMHxsQU=Av5_7QP8ExYPZt3V+4Qi4Q@mail.gmail.com> <CAEB_pdfZ1LjpEQ9Mc2REn2FF2BSTzz4vwGb2m3sAKgGGa2ovqQ@mail.gmail.com>
Date: Wed, 10 Feb 2016 14:36:06 -0500
Message-ID: <CAKDPBw_74iBAKpf3bdmNExbcf3pVFY9+3soeOShBYnN5jPejnw@mail.gmail.com>
From: Paul Grubbs <pag225@cornell.edu>
To: Stefano Tessaro <tessaro@cs.ucsb.edu>
Content-Type: multipart/alternative; boundary="001a1146978e940562052b6f8bb1"
Received-SPF: Neutral (sf-e2013-10.exchange.cornell.edu: 74.125.82.44 is neither permitted nor denied by domain of pag225@cornell.edu)
X-ORG-HybridRouting: 42d5772f4a2672ddb6c0f06f2fe37955
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/hea7ABgSpMKYBueMeWHnleHVr9g>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Security analysis of scrypt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 19:36:14 -0000

Interesting. Thanks for the explanation.

Just out of curiosity, can you explain in a little more detail *why* the
proof relies on data-dependency, and in what step your techniques would
fail if applied to something like Argon2i?
(This is mostly for my own interest, so feel free not to answer if it would
take too long)

On Wed, Feb 10, 2016 at 2:21 PM, Stefano Tessaro <tessaro@cs.ucsb.edu>
wrote:

> > Can your results be extended to Argon2d and/or Argon2i? If so, are you
> > planning on doing it?
>
> Given the analysis is essentially about ROMix, it should extend to
> Argon2d. There are syntactical differences -- so we have been a bit
> cautious about making a final statement about Argon2d in the current
> preliminary version, beyond a footnote stating essentially what I am
> writing here -- but we are planning to make explicit what is the
> strongest statement about Argon2d we can get out of our techniques.
>
> However, what is clear is that the results do not extend to Argon2i.
> The point of this work was to focus on data-dependent designs, which
> were not covered by the techniques from the paper of Alwen and
> Serbinenko. The lower bound proof inherently relies on the
> construction being data dependent, and there is no obvious way to
> adapt it to something like Argon2i.
>
> Stefano
>

v2.23.0 | Report a Bug | By Email