IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document

Joel Alwen <jalwen@ist.ac.at> Wed, 25 May 2016 19:45 UTC

Return-Path: <jalwen@ist.ac.at>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D077D12DC8D for <cfrg@ietfa.amsl.com>; Wed, 25 May 2016 12:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.427
X-Spam-Level:
X-Spam-Status: No, score=-3.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ist.ac.at
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9S99TxRnSjji for <cfrg@ietfa.amsl.com>; Wed, 25 May 2016 12:45:04 -0700 (PDT)
Received: from mx1.ist.ac.at (mx1.ist.ac.at [193.170.152.98]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55E2B12DC93 for <cfrg@irtf.org>; Wed, 25 May 2016 12:44:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ist.ac.at; i=@ist.ac.at; q=dns/txt; s=ist2009; t=1464205462; x=1495741462; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=N5Opvp0UXnp5D5hY2BiOLi7uOLiFdQm0J7bwQCvOcbQ=; b=4B1Z5cbfY2jQUOOrARfYt28YuB5jrlk947QGDoelFzJREm4mCjt45CyJ qlef2VK5p20S2EaBKRUt6/GSDcBqwaNVnMc8ow1Hya7Ed/ExjZNzq0jTC CQYpggWkNR1qXVaxY2vHHlNqp3jBml93446O9htPeYpLlKe/DnVvfHeDB ZygJ5of47jfN5ztsVE6crBgOWZicOsdbeYs1hHG0JficbBBPJDVHDJSFP LquzeLaTuqDwMPm2xP/dDhZY8owqJHjVhVYUCW3vf0mE2q6ATMt3g2G2C 72iHz6I6BpfobPlRxuRkzV22AcYEPPBN5AGyyohvejXIVBRRrFm8nRRqn g==;
X-IronPort-AV: E=Sophos;i="5.26,365,1459807200"; d="scan'208";a="5442847"
Received: from lserv46.ista.local ([10.15.21.55]) by ironport-intern.ista.local with ESMTP; 25 May 2016 21:44:19 +0200
Received: from sslmail1.ist.ac.at (sslmail1.ista.local [10.15.21.69]) by lserv46.ista.local (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u4PJiIjQ004100; Wed, 25 May 2016 21:44:19 +0200
Received: from [172.16.42.38] (ool-18b954e8.dyn.optonline.net [24.185.84.232]) (authenticated bits=0) by sslmail1.ist.ac.at (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u4PJiHXC031307 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 25 May 2016 21:44:17 +0200
To: Dmitry Khovratovich <khovratovich@gmail.com>, cfrg@irtf.org, Alex Biryukov - UNI <alex.biryukov@uni.lu>, Daniel Dinu <dumitru-daniel.dinu@uni.lu>, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com>
From: Joel Alwen <jalwen@ist.ac.at>
Message-ID: <57460090.9040901@ist.ac.at>
Date: Wed, 25 May 2016 15:44:16 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/rTsGEDhphpV8FuCazTsoofdbL9w>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2016 19:45:07 -0000

> 3. The best attacks on Argon2, published in the original design 
> document in early 2015, have factor 1.3 for Argon2d and factor 3 for
>  Argon2i.
> 
> 4. The best attack found by Alwen and Blocki has factor 2 for 
> Argon2i.
> 
> 5. In a bit more details, the advantage of the Alwen-Blocki attack
> is upper bounded by (M^{1/4})/36, where M is the number of kilobytes
>  used by Argon2i. Thus the attack has factor 2 with memory up to 16 
> GB, and less than 1 for memory up to 1 GB. Details in Section 5.6 of 
> https://www.cryptolux.org/images/0/0d/Argon2.pdf

I believe the results of Alwen-Blocki (AB16) actually show that at least
6 passes over memory are required for the above suggested parameters.
 - See Corollary 5.6 in [1]
 - See Figure 1(a) in [1] and paragraph titled "Parameter Optimization"

[1] https://eprint.iacr.org/2016/115

Moreover, I think it important to note that the analysis of the attack
complexity in [1] is very "worst case" in several ways and that this
leaves room for significantly improvements in practice. And of course
the analysis was not optimized for concrete parameters such as those
mentioned above.

Basically I think there are several good reasons to believe that 6
passes over memory are also not sufficient to avoid the attack.

- Joel




On 05/21/2016 04:38 AM, Dmitry Khovratovich wrote:
> Some clarifications due to the increased attention to the paper by 
> Alwen and Blocki, which has been presented at the recent Eurocrypt 
> CFRG meeting.
> 
> 1. One of security parameters of memory-hard password hashing 
> functions is how much an ASIC attacker can reduce the area-time 
> product (AT) of a password cracker implemented on ASIC. The AT is 
> conjectured to be proportional to the amortized cracking cost per 
> password.
> 
> 2. The memory-hard functions with input-independent memory access 
> (such as Argon2i) have been known for its relatively larger 
> AT-reduction factor compared to functions with input-dependent memory
> access (such as Argon2d). To mitigate this, the minimum of 3 passes
> over memory for Argon2i was set.
> 
> 3. The best attacks on Argon2, published in the original design 
> document in early 2015, have factor 1.3 for Argon2d and factor 3 for
>  Argon2i.
> 
> 4. The best attack found by Alwen and Blocki has factor 2 for 
> Argon2i.
> 
> 5. In a bit more details, the advantage of the Alwen-Blocki attack
> is upper bounded by (M^{1/4})/36, where M is the number of kilobytes
>  used by Argon2i. Thus the attack has factor 2 with memory up to 16 
> GB, and less than 1 for memory up to 1 GB. Details in Section 5.6 of 
> https://www.cryptolux.org/images/0/0d/Argon2.pdf
> 
> Best regards, Argon2 team
> 
> On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich 
> <khovratovich@gmail.com <mailto:khovratovich@gmail.com>> wrote:
> 
> Dear all,
> 
> as explained in a recent email 
> http://article.gmane.org/gmane.comp.security.phc/3606 , we are fully
>  aware of the analysis of Argon2i made by Corrigan-Gibbs et al. , we
>  know how to mitigate the demonstrated effect, and have already made
>  some benchmarks on the patch.
> 
> Soon after the Crypto deadline (Feb-9) we will develop a new release 
> including code, rationale, and test vectors.
> 
> -- Best regards, the Argon2 team.
> 
> 
> 
> 
> -- Best regards, Dmitry Khovratovich
> 
> 
> _______________________________________________ Cfrg mailing list 
> Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email