Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
Joel Alwen <jalwen@ist.ac.at> Mon, 15 February 2016 16:06 UTC
Return-Path: <jalwen@ist.ac.at>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14AA21B305F for <cfrg@ietfa.amsl.com>; Mon, 15 Feb 2016 08:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.639
X-Spam-Level:
X-Spam-Status: No, score=-0.639 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yg-9nc6VNaZ5 for <cfrg@ietfa.amsl.com>; Mon, 15 Feb 2016 08:06:20 -0800 (PST)
Received: from mx2.ist.ac.at (mx2.ist.ac.at [193.170.62.130]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE5D1A889B for <cfrg@irtf.org>; Mon, 15 Feb 2016 08:06:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ist.ac.at; i=@ist.ac.at; q=dns/txt; s=ist2009; t=1455552380; x=1487088380; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=/Jb/m5DAHFNZ6zPmzeDZWTkikbDR6t13X+N0K0VzU8c=; b=Mb5TZ8BSJflwo01xBBu69dKR6xpg08sTanfxUPrvoQ06oisnudf/V0C8 xJHI7P7d/RWm2QUq9h6yo+1Wf07dpbp4wsb0UrEzdYCx6Cwq1eWOzAioH 4p9ZKd2PCDZ0e2epaA+Pz5XHk5krKSLLb8ll0GtnY5rONM3YPHuf5SBvw 8ZNKM6pp7pVbSlQ1wfV4OVxk/PlHXcoAFAHSp1JuK3lcYQ8IJtlKH+0L+ EMj10VtxhCHA/DpaI6xSkBu5BwRlJT7If0mHk8DWhlXXTkOLG0nxK7H2g i4tGb+W+HGeqpDqTcrD8jJSahPuVf4EMuezs9+aroZlMz7mLNRAzhvItm Q==;
X-IronPort-AV: E=Sophos;i="5.22,451,1449529200"; d="scan'208";a="3214666"
Received: from lserv46.ista.local ([10.15.21.55]) by ironport2-intern.ista.local with ESMTP; 15 Feb 2016 17:06:18 +0100
Received: from sslmail1.ist.ac.at (sslmail1.ista.local [10.15.21.69]) by lserv46.ista.local (8.14.4/8.14.4/Debian-4) with ESMTP id u1FG6HVj001971; Mon, 15 Feb 2016 17:06:18 +0100
Received: from [192.168.0.14] (80-110-77-163.cgn.dynamic.surfer.at [80.110.77.163]) (authenticated bits=0) by sslmail1.ist.ac.at (8.14.4/8.14.4/Debian-4) with ESMTP id u1FG6Gti013557 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 15 Feb 2016 17:06:16 +0100
To: Bill Cox <waywardgeek@gmail.com>
References: <56BE045F.4060103@ist.ac.at> <CAKDPBw_0g=wLTpCpDWut63UBsxq6wwuVSx8OT0Ke7GK6Kd-Xig@mail.gmail.com> <CAOLP8p4X4Xhm1Nix0DC7bfrjmmAK1YfYM7tZb=8tcY0P2GQE3A@mail.gmail.com>
From: Joel Alwen <jalwen@ist.ac.at>
Message-ID: <56C1F773.6030504@ist.ac.at>
Date: Mon, 15 Feb 2016 17:06:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAOLP8p4X4Xhm1Nix0DC7bfrjmmAK1YfYM7tZb=8tcY0P2GQE3A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/sKiV9VWPwjQ1zCTgCxG63G00hTc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2016 16:06:23 -0000
> I would stick to Argon2id, which offers some protection against > certain cache-timing attacks, but still leaks meta-data such as > whether or not the user who is authenticating has been seen before. Which type of timing attacks does Argon2id protect against? (Is there any where I can read more about timing attacks on Argon2 or other dynamic MHFs?) > AFAIK, Argon2id has the same memory*time defense as Argon2d, so it > seems like a no-brainer to use Argon2id rather than Argon2d, IMO. I think for the same memory-cost parameter and passes over memory Argon2d would actually be (at least somewhat) more memory-hard than Argon2id. In particular the first pass over memory of Argon2id would still be susceptible to the Argon2i TMTO attack. So "Argon2d level security" only holds for subsequent passes. In contrast for Argon2d it holds from the get-go. There is a trade-off here. The more passes over memory the smaller the security gap between Argon2id and Argon2d. However this also decreases any added cache-timing attack resistance Argon2id has over Argon2d. Moreover it makes the MHF less efficient in terms of memory-hardness/computational-cost. Put differently for memory-cost m and number of passes t the runtime (i.e. computational cost) is about m*t. But the cumulative memory complexity is (ideally) m^2*t. So to maximise memory-hardness/computational-cost we really want t=1. However if t=1 then Argon2id collapses to Argon2i so we would only get about m^{7/4} memory-hardness. In contrast, with Argon2d I believe we would get much closer to m^2 memory-hardness. So basically I would only recommend Argon2id over Argon2d for applications that are willing to tolerate a low through-put MHF. TBH, I don't yet see a great solution when timing-attacks are a concern but we also want large memory-hardness for minimal computation. - Joel
- [Cfrg] Memory-efficient evaluation of data-indepe… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Paul Grubbs
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox
- Re: [Cfrg] Memory-efficient evaluation of data-in… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox