IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document

Dmitry Khovratovich <khovratovich@gmail.com> Wed, 15 June 2016 09:14 UTC

Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A05F612D122 for <cfrg@ietfa.amsl.com>; Wed, 15 Jun 2016 02:14:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCMOLGFAEq1E for <cfrg@ietfa.amsl.com>; Wed, 15 Jun 2016 02:14:26 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F99112D0A6 for <cfrg@irtf.org>; Wed, 15 Jun 2016 02:14:26 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id f30so9186576ioj.2 for <cfrg@irtf.org>; Wed, 15 Jun 2016 02:14:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZakauT3jqp8vH8dpZC9++7Cmb8eTrvPh3ryUvLAolE8=; b=0Qpi2wY3wErq01QHEjAQVGg+ElYhv1gDpCPmEB7PQxqDP9qxd6ek1OTqHQxv0JZ82+ C5xQdHf+fsuxbpe8JrfVqPieJ36mSthZa33Jt5leZvvMMlMFoSBZ4cb/R7IRC+LzVOLr MzsFxYvbnPeDGwtlQx7xF/t/e6ySaLtHmrQjRnI9AppPwdhiyP92BBAYR0HfnipimKzj kvg/+VTiMjwQbMkslgBKT0HGfz9NVLZOrF5HHhP6acI0UQK++UD3UGvqxUoU8XDSs8L/ hN9gKeKJouAz+SgUyukEppAJUFgg14QxuRVP6YZ4lOv7jzcChNLhc836Hg2zISYZbiin CwNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZakauT3jqp8vH8dpZC9++7Cmb8eTrvPh3ryUvLAolE8=; b=QKDX7VXwRkr5nX+1g88aHb7vHQxfP8WSbs+zwyztzEhFiPAahWpogYRGHktvmiZeLU O0H6XXd6e8bkMg0j5USDj/baOotTKmoTbbuhVqxGBM6ikyUghKMEeWYiCIPFl1vv+qVh 9ayKni2o1/GEFP//riGUSIN9M+BE/0J/ga5Tzm8zymTTLh3sq/APBpm6BDy9k6ejipqA +RbOzRymO3UgWn0hHRFwjaXCii4cywDxD6HTeoHuVHZ1lRd6720Q15c58cgIPE9TzLL+ 0XQ/UrlMEKGYZ+6yByGr5k09qBdwFPmyE08nQha7XafgoLs5RErvgZi0yNlKg0LBFHvK p+MA==
X-Gm-Message-State: ALyK8tIip18lKfYTweLVw34xBIf7dW9hq1VIS+SrKvWdg0QuvWvHA2zQxEqBUeAXYgko8/fid2zuCsXvROR5nQ==
X-Received: by 10.107.146.4 with SMTP id u4mr38356705iod.189.1465982065741; Wed, 15 Jun 2016 02:14:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.115.65 with HTTP; Wed, 15 Jun 2016 02:14:11 -0700 (PDT)
In-Reply-To: <CAEB_pdccDaATC+7kXD2+vX6TVQ1Rt4Z29uMTb5=vYwT_us4V7g@mail.gmail.com>
References: <CALW8-7JZZuWszw+Zj0CWHp79wXeQ2JxvKHT0Bpiwv3hz=m493A@mail.gmail.com> <CALW8-7Js5_sAJ+4ZVg4Hg2iLH41c6aunQMHLH=M+n=neCR0UXw@mail.gmail.com> <57460090.9040901@ist.ac.at> <CAGiyFdcHxUsWeW-hrNpyaJfgK8WZzy=Mbbkc+cr=ht8tgb3CTQ@mail.gmail.com> <574D60C5.80309@ist.ac.at> <CAGiyFdfEjQ3H6HJxSqn1-cmk3fySWepNso1264nt24z0kMg7ig@mail.gmail.com> <CAEB_pdccDaATC+7kXD2+vX6TVQ1Rt4Z29uMTb5=vYwT_us4V7g@mail.gmail.com>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Wed, 15 Jun 2016 11:14:11 +0200
Message-ID: <CALW8-7+w0=s2F3Qs70hpeesaiwjki7OgyeHQd9zRB9vRkns0MA@mail.gmail.com>
To: Stefano Tessaro <tessaro@cs.ucsb.edu>
Content-Type: multipart/alternative; boundary="001a1148cc3a46ba2005354d8c1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/v6dFD5va_31O8GdD8qN5w-JlA2A>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: Alex Biryukov - UNI <alex.biryukov@uni.lu>, cfrg@irtf.org
Subject: Re: [Cfrg] [MASSMAIL]Re: adopting Argon2 as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 09:14:29 -0000

Hi Stefano,

the previous attacks on Argon2i and Argon2d do have asymptotic
generalizations. The ranking attack implementation, for instance, shows
(Table 3 in [1]) that depth of random graphs can be upper bounded by a
linear function of the memory reduction factor. We knew from our  heuristic
estimates  that the adversary's advantage grows with total memory spent,
now the more rigorous techniques in the AB paper provided a proof for that.

To summarize, the AB result should be viewed as a theoretical
generalization of attacks in [1] rather than an improvement over them. It
does bring more understanding of memory-hard functions but does not lessen
the security of Argon2i with practical parameters.

[1] "Tradeoff Cryptanalysis of Memory-Hard Functions " Asiacrypt'15, also
in http://eprint.iacr.org/2015/227.pdf
-- 
Best regards,
Dmitry Khovratovich

On Tue, May 31, 2016 at 7:07 PM, Stefano Tessaro <tessaro@cs.ucsb.edu>
wrote:

> This may be obvious to many, but a point that I believe is not
> stressed enough in the on-going discussion is that the AB16 attack
> shows a substantial *asymptotic* improvement over what could be
> expected from a memory-hard function.
>
> In contrast, comparisons here are focusing on the *concrete*
> complexity of the AB16 attack for actual real-world parameters,
> compared with the best known attacks against Argon2i. (The latter
> attacks do not seem to have an obvious asymptotic generalization
> outperforming the AB16 attack, but I am happy to be corrected on
> this.)
>
> Regardless of which attack performs best, asymptotic breaks typically
> tell us more about a construction than just a number.
>
> Indeed, constants and log-factors are likely to be improved in future
> works, and the real question seems to be how much value one should put
> in asymptotic attacks and how much Argon2i (or any other design
> affected by the attacks) is resilient to potential future improvements
> of AB16.
>
> I am not advocating for any particular design. As a passive observer,
> I just feel the attacks should be compared more carefully.
>
> Stefano
>
> On Tue, May 31, 2016 at 3:44 AM, Jean-Philippe Aumasson
> <jeanphilippe.aumasson@gmail.com> wrote:
> >
> > I haven't read the AB16 paper, but I observe that
> >
> > 1) Argon2 designers say "the AB16 attack is less efficient than known
> > attacks"
> >
> > 2) Joel says "the AB16 attack is more efficient than known attacks"
> >
> > Are you guys both right for different notions of "efficient", or is one
> of
> > your analyses wrong?
> >
> > Specifically: Joel, is there something that strikes you as incorrect in
> the
> > analysis in 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf?
> >
> >
> >
> > On Tue, May 31, 2016 at 12:00 PM Joel Alwen <jalwen@ist.ac.at> wrote:
> >>
> >> > Furthermore, my understanding is that the Alwen-Blocki attack on
> >> > Argon2i isn't more efficient than attacks already documented, as
> >> > discussed in 5.6 in
> >> > https://www.cryptolux.org/images/0/0d/Argon2.pdf. So I don't see
> >> > these new results as a showstopper.
> >>
> >> Actually the Alwen-Blocki is more efficient then other known attacks
> >> both in terms of asymptotic and exact constants for interesting
> >> parameter ranges. This is already true for the worst case analysis in
> >> the paper. (See my earlier email in this thread for and references on
> >> this.) Moreover there is good reason to believe that it will behave far
> >> better in practice and that it can also be further improved.
> >>
> >> To be clear: I am neither advocating for nor against Argon2i (or any
> >> other algorithm). My intention at this point is to clarify what is
> >> actually known about Argon2i.
> >>
> >>
> >> As to why I responded positively to Kenny's question about having a new
> >> PHC *in an ideal world*; the reason is that recent results both in terms
> >> of attacks and security proofs all point towards a new desirable
> >> property of an iMHF. That is the underlying DAG of the iMHF should have
> >> a specific combinatoric property (called depth-robustness). Not only is
> >> being depth-robust necessary to avoid the AB16 attack, it also allows us
> >> to make provable security type statements. However constructing the most
> >> efficient & simple such graphs is not a trivial task, especially not
> >> ones which result in the strongest possible provable security
> >> statements. As such a, concerted effort to produce the best such graph
> >> combined with other properties we have learned about in the previous PHC
> >> would likely result in a significantly improved iMHF compared to
> >> everything we currently have available. Of course we may not want to
> >> wait for this, nor spend the energy on it. My reasoning and response
> >> were mindful of the "in an ideal world" part of the question.
> >>
> >> - joel
> >>
> >>  On Wed, May 25, 2016 at 9:44 PM Joel Alwen <jalwen@ist.ac.at
> >> > <mailto:jalwen@ist.ac.at>> wrote:
> >> >
> >> >
> >> >> 3. The best attacks on Argon2, published in the original design
> >> >> document in early 2015, have factor 1.3 for Argon2d and factor 3
> >> >> for Argon2i.
> >> >>
> >> >> 4. The best attack found by Alwen and Blocki has factor 2 for
> >> >> Argon2i.
> >> >>
> >> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack
> >> >>  is upper bounded by (M^{1/4})/36, where M is the number of
> >> >> kilobytes used by Argon2i. Thus the attack has factor 2 with
> >> >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
> >> >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
> >> >
> >> > I believe the results of Alwen-Blocki (AB16) actually show that at
> >> > least 6 passes over memory are required for the above suggested
> >> > parameters. - See Corollary 5.6 in [1] - See Figure 1(a) in [1] and
> >> > paragraph titled "Parameter Optimization"
> >> >
> >> > [1] https://eprint.iacr.org/2016/115
> >> >
> >> > Moreover, I think it important to note that the analysis of the
> >> > attack complexity in [1] is very "worst case" in several ways and
> >> > that this leaves room for significantly improvements in practice.
> >> > And of course the analysis was not optimized for concrete parameters
> >> > such as those mentioned above.
> >> >
> >> > Basically I think there are several good reasons to believe that 6
> >> > passes over memory are also not sufficient to avoid the attack.
> >> >
> >> > - Joel
> >> >
> >> >
> >> >
> >> >
> >> > On 05/21/2016 04:38 AM, Dmitry Khovratovich wrote:
> >> >> Some clarifications due to the increased attention to the paper by
> >> >>  Alwen and Blocki, which has been presented at the recent Eurocrypt
> >> >>  CFRG meeting.
> >> >>
> >> >> 1. One of security parameters of memory-hard password hashing
> >> >> functions is how much an ASIC attacker can reduce the area-time
> >> >> product (AT) of a password cracker implemented on ASIC. The AT is
> >> >> conjectured to be proportional to the amortized cracking cost per
> >> >> password.
> >> >>
> >> >> 2. The memory-hard functions with input-independent memory access
> >> >> (such as Argon2i) have been known for its relatively larger
> >> >> AT-reduction factor compared to functions with input-dependent
> >> >> memory access (such as Argon2d). To mitigate this, the minimum of
> >> >> 3 passes over memory for Argon2i was set.
> >> >>
> >> >> 3. The best attacks on Argon2, published in the original design
> >> >> document in early 2015, have factor 1.3 for Argon2d and factor 3
> >> >> for Argon2i.
> >> >>
> >> >> 4. The best attack found by Alwen and Blocki has factor 2 for
> >> >> Argon2i.
> >> >>
> >> >> 5. In a bit more details, the advantage of the Alwen-Blocki attack
> >> >>  is upper bounded by (M^{1/4})/36, where M is the number of
> >> >> kilobytes used by Argon2i. Thus the attack has factor 2 with
> >> >> memory up to 16 GB, and less than 1 for memory up to 1 GB. Details
> >> >> in Section 5.6 of https://www.cryptolux.org/images/0/0d/Argon2.pdf
> >> >>
> >> >> Best regards, Argon2 team
> >> >>
> >> >> On Mon, Feb 1, 2016 at 10:06 PM, Dmitry Khovratovich
> >> >> <khovratovich@gmail.com <mailto:khovratovich@gmail.com>
> >> > <mailto:khovratovich@gmail.com <mailto:khovratovich@gmail.com>>>
> >> > wrote:
> >> >>
> >> >> Dear all,
> >> >>
> >> >> as explained in a recent email
> >> >> http://article.gmane.org/gmane.comp.security.phc/3606 , we are
> >> >> fully aware of the analysis of Argon2i made by Corrigan-Gibbs et
> >> >> al. , we know how to mitigate the demonstrated effect, and have
> >> >> already made some benchmarks on the patch.
> >> >>
> >> >> Soon after the Crypto deadline (Feb-9) we will develop a new
> >> >> release including code, rationale, and test vectors.
> >> >>
> >> >> -- Best regards, the Argon2 team.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> -- Best regards, Dmitry Khovratovich
> >> >>
> >> >>
> >> >> _______________________________________________ Cfrg mailing list
> >> >> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> >> > https://www.irtf.org/mailman/listinfo/cfrg
> >> >>
> >> >
> >> -
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
>
>
>
> --
> Stefano Tessaro
> Assistant Professor of Computer Science
> University of California, Santa Barbara
> http://cs.ucsb.edu/~tessaro/
>



-- 
Best regards,
Dmitry Khovratovich

v2.23.0 | Report a Bug | By Email