Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
Dmitry Khovratovich <khovratovich@gmail.com> Sat, 21 May 2016 08:39 UTC
Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B6512D09F for <cfrg@ietfa.amsl.com>; Sat, 21 May 2016 01:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_sz74-53FvO for <cfrg@ietfa.amsl.com>; Sat, 21 May 2016 01:39:00 -0700 (PDT)
Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC3D112B025 for <cfrg@irtf.org>; Sat, 21 May 2016 01:38:59 -0700 (PDT)
Received: by mail-ig0-x232.google.com with SMTP id bi2so6536362igb.0 for <cfrg@irtf.org>; Sat, 21 May 2016 01:38:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=0shVTE+r6zKuF8vpxU5nKL0vMIkx07I+UQr6jJz3k10=; b=ACX9JTCKfmSvUfylvSk5p7zXevrTWKDHYRkxrZZXXDIAWYkZFL8ug3a0Z6esu+vVR8 4Rolj3ByOXAjvfOvwPvFeQgZ1yfOVpDL+KV8UT8ab5wPD2q5pCjO5tdctarYQbDJ8iHg pmiBwVkhBoDqK6BYe5Dmb0E487bCMCorvWanXjme1l4HwkvP5I1o1xo6Dq88+CEUFYnM Y6Knrq42Lt33Ysy+s35pSFYadCLUrbKvbUaNaduDkTWxJacucjb2qMeCXrM2Vjnz7rcC dEm21HNcBRp66uTq7+6ugwv/JYu7Zi6x0QR3cXPNreXvK0YDXpvvqSOqrgdnDwnGSNMS /VEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=0shVTE+r6zKuF8vpxU5nKL0vMIkx07I+UQr6jJz3k10=; b=ZOeIOJNSOtrrR01C5zgA+4iW44rVYjSS0kskoMt4pWKf1H1LqmTy9itgYCyvrfEkaY sKAynY7Jrhg6SjMbQvx6DkBv7gzR4Wyw8/F4LOlivwu7ReBitCSTTa2G0eYgDCIEnY4s E5mAHw/jjbRGgkeddWi69Hk5j/7hwaPX2Z3hKgTKFIYYkdLmBYSQv3J1HkesRRwseUTY RIZmurcZMblgp1N2e7dfB/RcNpIalt5a6oNcrndijVl9yQldpCuZmNOLo64hBtk1Zjl+ hxhotqYWnbyztHuPYM48zuiKP4HtyLA5b05TSRYmQUCsub2tHDU3CBRQ7gbguQrGYjBn TMHA==
X-Gm-Message-State: AOPr4FXxbIbuVFwYRZ+afwOVGBVWXCHxIC2sRgbICBLXzRi+rZZ1dMDKF6YgDgBpH4XRDJaEbGbhO1wZZUgkpA==
X-Received: by 10.50.231.141 with SMTP id tg13mr6326062igc.54.1463819937777; Sat, 21 May 2016 01:38:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.83.34 with HTTP; Sat, 21 May 2016 01:38:43 -0700 (PDT)
In-Reply-To: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com>
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Sat, 21 May 2016 10:38:43 +0200
Message-ID: <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com>
To: cfrg@irtf.org, Alex Biryukov - UNI <alex.biryukov@uni.lu>, Daniel Dinu <dumitru-daniel.dinu@uni.lu>, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Content-Type: multipart/alternative; boundary="f46d04289cf16811d80533562314"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/sfwXKAPUML4nyjLHLt6PwjjaH-U>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2016 08:39:01 -0000
Some clarifications due to the increased attention to the paper by Alwen
and Blocki, which has been presented at the recent Eurocrypt CFRG meeting.
1. One of security parameters of memory-hard password hashing functions is
how much an ASIC attacker can reduce the area-time product (AT) of a
password cracker implemented on ASIC. The AT is conjectured to be
proportional to the amortized cracking cost per password.
2. The memory-hard functions with input-independent memory access (such as
Argon2i) have been known for its relatively larger AT-reduction factor
compared to functions with input-dependent memory access (such as Argon2d).
To mitigate this, the minimum of 3 passes over memory for Argon2i was set.
3. The best attacks on Argon2, published in the original design document in
early 2015, have factor 1.3 for Argon2d and factor 3 for Argon2i.
4. The best attack found by Alwen and Blocki has factor 2 for Argon2i.
5. In a bit more details, the advantage of the Alwen-Blocki attack is upper
bounded by (M^{1/4})/36, where M is the number of kilobytes used by
Argon2i. Thus the attack has factor 2 with memory up to 16 GB, and less
than 1 for memory up to 1 GB. Details in Section 5.6 of
https://www.cryptolux.org/images/0/0d/Argon2.pdf
Best regards,
Argon2 team
On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich <khovratovich@gmail.com
> wrote:
> Dear all,
>
> as explained in a recent email
> http://article.gmane.org/gmane.comp.security.phc/3606 , we are fully
> aware of the analysis of Argon2i made by Corrigan-Gibbs et al. , we know
> how to mitigate the demonstrated effect, and have already made some
> benchmarks on the patch.
>
> Soon after the Crypto deadline (Feb-9) we will develop a new release
> including code, rationale, and test vectors.
>
> --
> Best regards,
> the Argon2 team.
>
--
Best regards,
Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document Paterson, Kenny
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paul Grubbs
- Re: [Cfrg] adopting Argon2 as a CFRG document Mike Hamburg
- Re: [Cfrg] adopting Argon2 as a CFRG document marshalko_gb
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Paterson, Kenny
- [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG do… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Dmitry Khovratovich
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Joel Alwen
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Jean-Philippe Aumasson
- Re: [Cfrg] adopting Argon2 as a CFRG document Jeremiah Blocki
- Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFR… Stefano Tessaro