Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
Joel Alwen <jalwen@ist.ac.at> Mon, 15 February 2016 16:06 UTC
Return-Path: <jalwen@ist.ac.at>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14AA21B305F for <cfrg@ietfa.amsl.com>; Mon, 15 Feb 2016 08:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.639
X-Spam-Level:
X-Spam-Status: No, score=-0.639 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yg-9nc6VNaZ5 for <cfrg@ietfa.amsl.com>; Mon, 15 Feb 2016 08:06:20 -0800 (PST)
Received: from mx2.ist.ac.at (mx2.ist.ac.at [193.170.62.130]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE5D1A889B for <cfrg@irtf.org>; Mon, 15 Feb 2016 08:06:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ist.ac.at; i=@ist.ac.at; q=dns/txt; s=ist2009; t=1455552380; x=1487088380; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=/Jb/m5DAHFNZ6zPmzeDZWTkikbDR6t13X+N0K0VzU8c=; b=Mb5TZ8BSJflwo01xBBu69dKR6xpg08sTanfxUPrvoQ06oisnudf/V0C8 xJHI7P7d/RWm2QUq9h6yo+1Wf07dpbp4wsb0UrEzdYCx6Cwq1eWOzAioH 4p9ZKd2PCDZ0e2epaA+Pz5XHk5krKSLLb8ll0GtnY5rONM3YPHuf5SBvw 8ZNKM6pp7pVbSlQ1wfV4OVxk/PlHXcoAFAHSp1JuK3lcYQ8IJtlKH+0L+ EMj10VtxhCHA/DpaI6xSkBu5BwRlJT7If0mHk8DWhlXXTkOLG0nxK7H2g i4tGb+W+HGeqpDqTcrD8jJSahPuVf4EMuezs9+aroZlMz7mLNRAzhvItm Q==;
X-IronPort-AV: E=Sophos;i="5.22,451,1449529200"; d="scan'208";a="3214666"
Received: from lserv46.ista.local ([10.15.21.55]) by ironport2-intern.ista.local with ESMTP; 15 Feb 2016 17:06:18 +0100
Received: from sslmail1.ist.ac.at (sslmail1.ista.local [10.15.21.69]) by lserv46.ista.local (8.14.4/8.14.4/Debian-4) with ESMTP id u1FG6HVj001971; Mon, 15 Feb 2016 17:06:18 +0100
Received: from [192.168.0.14] (80-110-77-163.cgn.dynamic.surfer.at [80.110.77.163]) (authenticated bits=0) by sslmail1.ist.ac.at (8.14.4/8.14.4/Debian-4) with ESMTP id u1FG6Gti013557 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 15 Feb 2016 17:06:16 +0100
To: Bill Cox <waywardgeek@gmail.com>
References: <56BE045F.4060103@ist.ac.at> <CAKDPBw_0g=wLTpCpDWut63UBsxq6wwuVSx8OT0Ke7GK6Kd-Xig@mail.gmail.com> <CAOLP8p4X4Xhm1Nix0DC7bfrjmmAK1YfYM7tZb=8tcY0P2GQE3A@mail.gmail.com>
From: Joel Alwen <jalwen@ist.ac.at>
Message-ID: <56C1F773.6030504@ist.ac.at>
Date: Mon, 15 Feb 2016 17:06:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAOLP8p4X4Xhm1Nix0DC7bfrjmmAK1YfYM7tZb=8tcY0P2GQE3A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/sKiV9VWPwjQ1zCTgCxG63G00hTc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Memory-efficient evaluation of data-independent memory-hard functions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2016 16:06:23 -0000
> I would stick to Argon2id, which offers some protection against
> certain cache-timing attacks, but still leaks meta-data such as
> whether or not the user who is authenticating has been seen before.
Which type of timing attacks does Argon2id protect against? (Is there
any where I can read more about timing attacks on Argon2 or other
dynamic MHFs?)
> AFAIK, Argon2id has the same memory*time defense as Argon2d, so it
> seems like a no-brainer to use Argon2id rather than Argon2d, IMO.
I think for the same memory-cost parameter and passes over memory
Argon2d would actually be (at least somewhat) more memory-hard than
Argon2id. In particular the first pass over memory of Argon2id would
still be susceptible to the Argon2i TMTO attack. So "Argon2d level
security" only holds for subsequent passes. In contrast for Argon2d it
holds from the get-go.
There is a trade-off here. The more passes over memory the smaller the
security gap between Argon2id and Argon2d. However this also decreases
any added cache-timing attack resistance Argon2id has over Argon2d.
Moreover it makes the MHF less efficient in terms of
memory-hardness/computational-cost.
Put differently for memory-cost m and number of passes t the runtime
(i.e. computational cost) is about m*t. But the cumulative memory
complexity is (ideally) m^2*t. So to maximise
memory-hardness/computational-cost we really want t=1. However if t=1
then Argon2id collapses to Argon2i so we would only get about m^{7/4}
memory-hardness. In contrast, with Argon2d I believe we would get much
closer to m^2 memory-hardness.
So basically I would only recommend Argon2id over Argon2d for
applications that are willing to tolerate a low through-put MHF.
TBH, I don't yet see a great solution when timing-attacks are a concern
but we also want large memory-hardness for minimal computation.
- Joel
- [Cfrg] Memory-efficient evaluation of data-indepe… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Paul Grubbs
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox
- Re: [Cfrg] Memory-efficient evaluation of data-in… Joel Alwen
- Re: [Cfrg] Memory-efficient evaluation of data-in… Bill Cox