Re: [Cfrg] Security analysis of scrypt
Stefano Tessaro <tessaro@cs.ucsb.edu> Wed, 10 February 2016 20:11 UTC
Return-Path: <stefano.tessaro@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5701B2F56 for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 12:11:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JNHF6cS1jFij for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2016 12:11:53 -0800 (PST)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7D0F1B2F54 for <cfrg@irtf.org>; Wed, 10 Feb 2016 12:11:52 -0800 (PST)
Received: by mail-ig0-x22d.google.com with SMTP id hb3so21768260igb.0 for <cfrg@irtf.org>; Wed, 10 Feb 2016 12:11:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=5JAnHr3SzdRkzEPegUHYBIyLlLv/0fL5ZAmDUp+7QBs=; b=RHJcVRFseCXGZ5W6+HbLffcnwCfKBAaD6p3zGjOwyIO8t+6FFKBFFvvLg39UOg1kNM 3CaCkAruQEycjjiJbmoZHu6OsYu8Pqf4N3YeheSRk01LteSHFQxKXKgoAEd0ACCMw1h7 iCjOYjfFHblw3bCbV2r8itkPSnXo/FNGt6HOmWBytSV9fDIF7xaXJqDVuQ8VQd6RfXLw Ht7iN24fzDXL4KdDXi37UI92Z9ou8SldLY2QRZnYhZdF5WH0ruKFlIli1HnR6XA5B2Fs 4nLft392tnxMnOdWW1sRvgzPTpUutrS89MdsT1F28O9tIwBFDUyqUjfitGRB91xcU7iw vFfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5JAnHr3SzdRkzEPegUHYBIyLlLv/0fL5ZAmDUp+7QBs=; b=TZl6SacUJW5IlaaicqA2CGbqrxsG/YSkwgmYtssi6VdSV5lu/cqdyhEaViymtg36/L CSnFz8J68lI8ln4fJevzofTOn7adihkKow1NuPkYKIWXItGQ1BDdzn7O4pv7hfTfqpHR mpEfBwUrLQBSTfXgFs6vrWZjQnfkVb/zSdYgAesLwQ+jQVxJ0u8/6bYRrh4D2QtOsHYD MYIU2SHwuMjIXS70i19LbmaPXWyw3DwX6dedlFJP2L8koxf/FbhocbmcNrvRKHJeEiY0 pmaNWqo4/5CdBTBcxq94QlpiZOPcDhrwM4F/BF2w6QAdtUOyplQjHQ7lbyZHC70JcXv8 Ikjw==
X-Gm-Message-State: AG10YOS03nADR7Juf0x5vWUmkbI2woMNWqn8QI6ZcB+HCNs2lzYYcR5EDbRqViSJK4A3kqfJHaDx0smp4eSa0A==
MIME-Version: 1.0
X-Received: by 10.50.183.2 with SMTP id ei2mr11816206igc.57.1455135112347; Wed, 10 Feb 2016 12:11:52 -0800 (PST)
Sender: stefano.tessaro@gmail.com
Received: by 10.79.6.143 with HTTP; Wed, 10 Feb 2016 12:11:52 -0800 (PST)
In-Reply-To: <CAOLP8p55r-r=WQm1u9CJgcZ=LbstV2FBT_uYR9=iyi+hSEhreA@mail.gmail.com>
References: <CAEB_pdf5ckqEtwC9N80YhNoqh77xPY2zJfuWq_BUio9wqg+Qxg@mail.gmail.com> <aaae2181e7274ad1b469c0302e182c65@ustx2ex-dag1mb1.msg.corp.akamai.com> <CAOLP8p55r-r=WQm1u9CJgcZ=LbstV2FBT_uYR9=iyi+hSEhreA@mail.gmail.com>
Date: Wed, 10 Feb 2016 12:11:52 -0800
X-Google-Sender-Auth: Kv9zdUVeEWTvJBQsY8yxzxtvc0w
Message-ID: <CAEB_pddoB7pswt3vsrh_MQropW4DNQuT8C1gQQfyHQm-ehQCxA@mail.gmail.com>
From: Stefano Tessaro <tessaro@cs.ucsb.edu>
To: Bill Cox <waywardgeek@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/wpiFg2hyIHhyXbHEDfADTUfVmqc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Security analysis of scrypt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 20:11:54 -0000
To be fair, to give credits where they are due, the idea to use cc in the first place was proposed by Alwen and Serbinenko in their STOC '15 paper. They show memory-independent constructions in there that have provably high cumulative complexity (cc). From a practical standpoint, the issue is that those constructions are not as efficient as Argon2i (and it's open whether Argon2i has a proof in that model). I know Joel reads along, so he should feel free to go deeper into this. To answer another question asked by Paul, briefly. The best abstraction for the problem of evaluating memory-hard functions are pebbling games on graphs. In essence, you can place a pebble on a node if and only if all predecessors have a pebble on them -- this corresponds to being able to compute a hash when you know all of the preceding hash values you need. And you can remove pebbles at any time. Alwen and Serbinenko show a very elegant connection between finding the right graphs with high pebbling complexity and finding good data-independent constructions that are secure in the parallel random-oracle model. And they define good complexity metrics. Now, the advantage you get with data-dependent constructions is that you can think of the corresponding pebbling game as revealing the graph little by little to you, and predecessors you need to pebble are revealed to you as the game proceeds in a "randomized" fashion. The point is that you can't prepare yourself for these in advance, and this is instrumental in showing that evaluating something as simple as scrypt or Argon2d is hard. Argon2i does not give you this benefit, and you are back to the original framework of Alwen and Serbinenko, where you know the whole graph to start with. This makes finding provable data-dependent construction seemingly easier. Technically, the price that we pay is that the connection between such "randomized" pebbling games and an actual lower bound in the parallel random-oracle model is less understood. That is where we need our combinatorial conjecture. But one should also note that we prove a lower bound in an extended model of pebbling games (we call these "entangled pebbling games") which is probably enough to cover "natural" adversarial evaluation strategies. Stefano -- Stefano Tessaro Assistant Professor of Computer Science University of California, Santa Barbara http://cs.ucsb.edu/~tessaro/
- [Cfrg] Security analysis of scrypt Stefano Tessaro
- Re: [Cfrg] Security analysis of scrypt Salz, Rich
- Re: [Cfrg] Security analysis of scrypt Paul Grubbs
- Re: [Cfrg] Security analysis of scrypt Stefano Tessaro
- Re: [Cfrg] Security analysis of scrypt Stefano Tessaro
- Re: [Cfrg] Security analysis of scrypt Paul Grubbs
- Re: [Cfrg] Security analysis of scrypt Bill Cox
- Re: [Cfrg] Security analysis of scrypt Stefano Tessaro