Joel Alwen
ABSTRACT
We show attacks on five data-independent memory-hard functions (iMHF) that were submitted to the password hashing competition (PHC). Informally, an MHF is a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly lower hardware and/or energy cost than evaluating a single instance on a standard single-core architecture. Data-independent means the memory access pattern of the function is independent of the input; this makes iMHFs harder to construct than data-dependent ones, but the latter can be attacked by various side-channel attacks.
Following [Alwen-Blocki'16], we capture the evaluation of an iMHF as a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of this DAG is a measure for the hardware cost of evaluating the iMHF on an ASIC. Ideally, one would like the complexity of a DAG underlying an iMHF to be as close to quadratic in the number of nodes of the graph as possible.
Instead, we show that (the DAGs underlying) the following iMHFs are far from this bound: Rig.v2, TwoCats and Gambit each having an exponent no more than 1.75. Moreover, we show that the complexity of the iMHF modes of the PHC finalists Pomelo and Lyra2 have exponents at most 1.83 and 1.67 respectively. To show this we investigate a combinatorial property of each underlying DAG (called its depth-robustness. By establishing upper bounds on this property we are then able to apply the general technique of [Alwen-Block'16] for analyzing the hardware costs of an iMHF.
- Password hashing competition. https://password-hashing.net/.Google Scholar
- Joël Alwen and Jeremiah Blocki. Efficiently computing data-independent memory-hard functions. In Advances in Cryptology - CRYPTO 2016, Santa Barbara, CA, USA, August 14-18, 2016, LNCS Vol. 9815, pages 241--271, 2016. Full version: http://eprint.iacr.org/2016/115. Google ScholarDigital Library
- Joël Alwen and Jeremiah Blocki. Towards practical attacks on argon2i and balloon hashing. In 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26-28, 2017, pages 142--157. IEEE, 2017. Full version: https://eprint.iacr.org/2016/759.Google ScholarCross Ref
- Joël Alwen, Jeremiah Blocki, and Ben Harsha. Practical graphs for optimal side-channel resistant memory-hard functions. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 1001--1017, 2017. Google ScholarDigital Library
- Joël Alwen, Jeremiah Blocki, and Krzysztof Pietrzak. Depth-robust graphs and their cumulative memory complexity. In Advances in Cryptology - EUROCRYPT 2017, Paris, France, April 30-May 4, 2017, LNCS Vol. 10212, pages 3--32, 2017.Google Scholar
- Joël Alwen, Jeremiah Blocki, and Krzysztof Pietrzak. Sustained space complexity. In Advances in Cryptology - EUROCRYPT 2018, Tel Aviv, Israel, April 28-May 3, 2018, 2018.Google Scholar
- Joël Alwen and Vladimir Serbinenko. High parallel complexity graphs and memory-hard functions. In Rocco A. Servedio and Ronitt Rubinfeld, editors, 47th ACM STOC, pages 595--603. ACM Press, June 2015. Google ScholarDigital Library
- Joël Alwen, Peter Gaži, Chethan Kamath, Karen Klein, Georg Osang, Krzysztof Pietrzak, Leonid Reyzin, Michal Rolínek, and Michal Rybár. On the memory-hardness of data-independent password-hashing functions. Cryptology ePrint Archive, Report 2016/783, 2016. https://eprint.iacr.org/2016/783.Google Scholar
- Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. On the indifferentiability of the sponge construction. In Nigel P. Smart, editor, EUROCRYPT 2008, volume 4965 of LNCS, pages 181--197. Springer, Heidelberg, April 2008. Google ScholarDigital Library
- Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. The keccak reference, 2011.Google Scholar
- Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. Argon2: New generation of memory-hard functions for password hashing and other applications. In IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March 21-24, 2016, pages 292--302. IEEE, 2016.Google ScholarCross Ref
- Alex Biryukov and Dmitry Khovratovich. Tradeoff cryptanalysis of memory-hard functions. In Tetsu Iwata and Jung Hee Cheon, editors, ASIACRYPT 2015, Part II, volume 9453 of LNCS, pages 633--657. Springer, Heidelberg, November / December 2015. Google ScholarDigital Library
- Jeremiah Blocki, Ling Ren, and Samson Zhou. Bandwidth-hard functions: Reductions and lower bounds. Cryptology ePrint Archive, Report 2018/221, 2018. https://eprint.iacr.org/2018/221.Google Scholar
- Jeremiah Blocki and Samson Zhou. On the depth-robustness and cumulative pebbling cost of argon2i. In Theory of Cryptography - 15th International Conference, TCC 2017, Baltimore, MD, USA, Nov. 12-15, 2017, LNCS Vol. 10677, pages 445--465, 2017.Google Scholar
- Dan Boneh, Henry Corrigan-Gibbs, and Stuart E. Schechter. Balloon hashing: A memory-hard function providing provable protection against sequential attacks. In Jung Hee Cheon and Tsuyoshi Takagi, editors, Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, volume 10031 of Lecture Notes in Computer Science, pages 220--248, 2016.Google Scholar
- Donghoon Chang, Arpan Jati, Sweta Mishra, and Somitra Kumar Sanadhya. Rig: A simple, secure and flexible design for password hashing. In Information Security and Cryptology, pages 361--381. Springer, 2014.Google ScholarCross Ref
- Donghoon Chang, Arpan Jati, Sweta Mishra, and Somitra Kumar Sanadhya. Rig: A simple, secure and flexible design for password hashing version 2.0. 2014.Google Scholar
- Bill Cox. Twocats (and skinnycat): A compute time and sequential memory hard password hashing scheme. Password Hashing Competition. v0 edn., 2014.Google Scholar
- Thaddeus Dryja, Quanquan C. Liu, and Sunoo Park. Static-memory-hard functions and nonlinear space-time tradeoffs via pebbling. Cryptology ePrint Archive, Report 2018/205, 2018. https://eprint.iacr.org/2018/205.Google Scholar
- Christian Forler, Stefan Lucks, and Jakob Wenzel. The catena password-scrambling framework, 2015.Google Scholar
- Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos, and Paulo S. L. M. Barreto. Lyra2: Password Hashing Scheme with improved security against time-memory trade-offs.Google Scholar
- C. Percival. Stronger key derivation via sequential memory-hard functions. In BSDCan 2009, 2009.Google Scholar
- Krisztián Pintér. Gambit -- A sponge based, memory hard key derivation function. Submission to Password Hashing Competition (PHC), 2014.Google Scholar
- Ling Ren and Srinivas Devadas. Bandwidth hard functions for ASIC resistance. In Theory of Cryptography - 15th International Conference, TCC 2017, Baltimore, MD, USA, Nov. 12-15, 2017, LNCS Vol. 10677, pages 466--492, 2017.Google Scholar
- Clark D. Thompson. Area-time complexity for VLSI. In Proceedings of the 11h Annual ACM Symposium on Theory of Computing, April 30-May 2, 1979, Atlanta, Georgia, USA, pages 81--88, 1979. Google ScholarDigital Library
- Hongjun Wu. POMELO -- A Password Hashing Algorithm, 2015.Google Scholar
Index Terms
- On the Memory-Hardness of Data-Independent Password-Hashing Functions
Recommendations
Biclique Cryptanalysis of Full Round AES-128 Based Hashing Modes
Inscrypt 2015: Revised Selected Papers of the 11th International Conference on Information Security and Cryptology - Volume 9589In this work, we revisit the security analysis of hashing modes instantiated with AES-128. We use biclique cryptanalysis as the basis for our evaluation. In Asiacrypt'11, Bogdanov et al. had proposed biclique technique for key recovery attacks on full ...
Efficiently Computing Data-Independent Memory-Hard Functions
Proceedings, Part II, of the 36th Annual International Cryptology Conference on Advances in Cryptology --- CRYPTO 2016 - Volume 9815A memory-hard function MHF f is equipped with a space cost $${\sigma } $$ and time cost $${\tau } $$ parameter such that repeatedly computing $$f_{{\sigma },{\tau }}$$ on an application specific integrated circuit ASIC is not economically advantageous ...
Improved time-memory trade-offs with multiple data
SAC'05: Proceedings of the 12th international conference on Selected Areas in CryptographyIn this paper we study time/memory/data trade-off attacks from two points of view. We show that Time-Memory trade-off (TMTO) by Hellman may be extended to Time/Memory/Key trade-off. For example, AES with 128-bit key has only 85-bit security if 243 ...
Comments