27 research outputs found

    RiffleScrambler - a memory-hard password storing function

    Full text link
    We introduce RiffleScrambler: a new family of directed acyclic graphs and a corresponding data-independent memory hard function with password independent memory access. We prove its memory hardness in the random oracle model. RiffleScrambler is similar to Catena -- updates of hashes are determined by a graph (bit-reversal or double-butterfly graph in Catena). The advantage of the RiffleScrambler over Catena is that the underlying graphs are not predefined but are generated per salt, as in Balloon Hashing. Such an approach leads to higher immunity against practical parallel attacks. RiffleScrambler offers better efficiency than Balloon Hashing since the in-degree of the underlying graph is equal to 3 (and is much smaller than in Ballon Hashing). At the same time, because the underlying graph is an instance of a Superconcentrator, our construction achieves the same time-memory trade-offs.Comment: Accepted to ESORICS 201

    Efficiently Computing Data-Independent Memory-Hard Functions

    Get PDF
    A memory-hard function (MHF) ff is equipped with a {\em space cost} σ\sigma and {\em time cost} τ\tau parameter such that repeatedly computing fσ,τf_{\sigma,\tau} on an application specific integrated circuit (ASIC) is not economically advantageous relative to a general purpose computer. Technically we would like that any (generalized) circuit for evaluating an iMHF fσ,τf_{\sigma,\tau} has area ×\times time (AT) complexity at Θ(σ2τ)\Theta(\sigma^2 * \tau). A data-independent MHF (iMHF) has the added property that it can be computed with almost optimal memory and time complexity by an algorithm which accesses memory in a pattern independent of the input value. Such functions can be specified by fixing a directed acyclic graph (DAG) GG on n=Θ(στ)n=\Theta(\sigma * \tau) nodes representing its computation graph. In this work we develop new tools for analyzing iMHFs. First we define and motivate a new complexity measure capturing the amount of {\em energy} (i.e. electricity) required to compute a function. We argue that, in practice, this measure is at least as important as the more traditional AT-complexity. Next we describe an algorithm A\mathcal{A} for repeatedly evaluating an iMHF based on an arbitrary DAG GG. We upperbound both its energy and AT complexities per instance evaluated in terms of a certain combinatorial property of GG. Next we instantiate our attack for several general classes of DAGs which include those underlying many of the most important iMHF candidates in the literature. In particular, we obtain the following results which hold for all choices of parameters σ\sigma and τ\tau (and thread-count) such that n=στn=\sigma*\tau. 1) The Catena-Dragonfly function of~\cite{forler2013catena} has AT and energy complexities O(n1.67)O(n^{1.67}). 2) The Catena-Butterfly function of~\cite{forler2013catena} has complexities is O(n1.67)O(n^{1.67}). 3) The Double-Buffer and the Linear functions of~\cite{CBS16} both have complexities in O(n1.67)O(n^{1.67}). 4) The Argon2i function of~\cite{Argon2} (winner of the Password Hashing Competition~\cite{PHC}) has complexities O(n7/4log(n))O(n^{7/4}\log(n)). 5) The Single-Buffer function of~\cite{CBS16} has complexities O(n7/4log(n))O(n^{7/4}\log(n)). 6) \emph{Any} iMHF can be computed by an algorithm with complexities O(n2/log1ϵ(n))O(n^2/\log^{1-\epsilon}(n)) for all ϵ>0\epsilon > 0. In particular when τ=1\tau=1 this shows that the goal of constructing an iMHF with AT-complexity Θ(σ2τ)\Theta(\sigma^2 * \tau) is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness of any DAG which may prove to be of independent interest

    Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks

    Get PDF
    We present the Balloon password-hashing algorithm. This is the first practical cryptographic hash function that: (i) has proven memory-hardness properties in the random-oracle model, (ii) uses a password-independent access pattern, and (iii) meets or exceeds the performance of the best heuristically secure password-hashing algorithms. Memory-hard functions require a large amount of working space to evaluate efficiently and when used for password hashing, they dramatically increase the cost of offline dictionary attacks. In this work, we leverage a previously unstudied property of a certain class of graphs (“random sandwich graphs”) to analyze the memory-hardness of the Balloon algorithm. The techniques we develop are general: we also use them to give a proof of security of the scrypt and Argon2i password-hashing functions in the random-oracle model. Our security analysis uses a sequential model of computation, which essentially captures attacks that run on single-core machines. Recent work shows how to use massively parallel special-purpose machines (e.g., with hundreds of cores) to attack Balloon and other memory-hard functions. We discuss these important attacks, which are outside of our adversary model, and propose practical defenses against them. To motivate the need for security proofs in the area of password hashing, we demonstrate and implement a practical attack against Argon2i that successfully evaluates the function with less space than was previously claimed possible. Finally, we use experimental results to compare the performance of the Balloon hashing algorithm to other memory-hard functions

    Computationally Data-Independent Memory Hard Functions

    Get PDF
    Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at most ?((N^2 log log N)/log N). By contrast, the dMHF scrypt achieves maximal CMC ?(N^2) - though the CMC of scrypt would be reduced to just ?(N) after a side-channel attack. In this paper, we introduce the notion of computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (randomized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker - even if the attacker selects the initial input. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC ?(N^2). Surprisingly, we answer the question in the affirmative when the ciMHF evaluation algorithm is executed on a two-tiered memory architecture (RAM/Cache). We introduce the notion of a k-restricted dynamic graph to quantify the continuum between unrestricted dMHFs (k=n) and iMHFs (k=1). For any ? > 0 we show how to construct a k-restricted dynamic graph with k=?(N^(1-?)) that provably achieves maximum cumulative pebbling cost ?(N^2). We can use k-restricted dynamic graphs to build a ciMHF provided that cache is large enough to hold k hash outputs and the dynamic graph satisfies a certain property that we call "amenable to shuffling". In particular, we prove that the induced memory access pattern is indistinguishable to a polynomial time attacker who can monitor the locations of read/write requests to RAM, but not cache. We also show that when k=o(N^(1/log log N))then any k-restricted graph with constant indegree has cumulative pebbling cost o(N^2). Our results almost completely characterize the spectrum of k-restricted dynamic graphs

    On the Depth-Robustness and Cumulative Pebbling Cost of Argon2i

    Get PDF
    Argon2i is a data-independent memory hard function that won the password hashing competition. The password hashing algorithm has already been incorporated into several open source crypto libraries such as libsodium. In this paper we analyze the cumulative memory cost of computing Argon2i. On the positive side we provide a lower bound for Argon2i. On the negative side we exhibit an improved attack against Argon2i which demonstrates that our lower bound is nearly tight. In particular, we show that (1) An Argon2i DAG is (e,O(n3/e3)))\left(e,O\left(n^3/e^3\right)\right))-reducible. (2) The cumulative pebbling cost for Argon2i is at most O(n1.768)O\left(n^{1.768}\right). This improves upon the previous best upper bound of O(n1.8)O\left(n^{1.8}\right) [Alwen and Blocki, EURO S&P 2017]. (3) Argon2i DAG is (e,Ω~(n3/e3)))\left(e,\tilde{\Omega}\left(n^3/e^3\right)\right))-depth robust. By contrast, analysis of [Alwen et al., EUROCRYPT 2017] only established that Argon2i was (e,Ω~(n2/e2)))\left(e,\tilde{\Omega}\left(n^2/e^2\right)\right))-depth robust. (4) The cumulative pebbling complexity of Argon2i is at least Ω~(n1.75)\tilde{\Omega}\left( n^{1.75}\right). This improves on the previous best bound of Ω(n1.66)\Omega\left( n^{1.66}\right) [Alwen et al., EUROCRYPT 2017] and demonstrates that Argon2i has higher cumulative memory cost than competing proposals such as Catena or Balloon Hashing. We also show that Argon2i has high {\em fractional} depth-robustness which strongly suggests that data-dependent modes of Argon2 are resistant to space-time tradeoff attacks

    Approximating Cumulative Pebbling Cost Is Unique Games Hard

    Get PDF
    The cumulative pebbling complexity of a directed acyclic graph GG is defined as cc(G)=minPiPi\mathsf{cc}(G) = \min_P \sum_i |P_i|, where the minimum is taken over all legal (parallel) black pebblings of GG and Pi|P_i| denotes the number of pebbles on the graph during round ii. Intuitively, cc(G)\mathsf{cc}(G) captures the amortized Space-Time complexity of pebbling mm copies of GG in parallel. The cumulative pebbling complexity of a graph GG is of particular interest in the field of cryptography as cc(G)\mathsf{cc}(G) is tightly related to the amortized Area-Time complexity of the Data-Independent Memory-Hard Function (iMHF) fG,Hf_{G,H} [AS15] defined using a constant indegree directed acyclic graph (DAG) GG and a random oracle H()H(\cdot). A secure iMHF should have amortized Space-Time complexity as high as possible, e.g., to deter brute-force password attacker who wants to find xx such that fG,H(x)=hf_{G,H}(x) = h. Thus, to analyze the (in)security of a candidate iMHF fG,Hf_{G,H}, it is crucial to estimate the value cc(G)\mathsf{cc}(G) but currently, upper and lower bounds for leading iMHF candidates differ by several orders of magnitude. Blocki and Zhou recently showed that it is NP\mathsf{NP}-Hard to compute cc(G)\mathsf{cc}(G), but their techniques do not even rule out an efficient (1+ε)(1+\varepsilon)-approximation algorithm for any constant ε>0\varepsilon>0. We show that for any constant c>0c > 0, it is Unique Games hard to approximate cc(G)\mathsf{cc}(G) to within a factor of cc. (See the paper for the full abstract.)Comment: 28 pages, updated figures and corrected typo

    Depth-Robust Graphs and Their Cumulative Memory Complexity

    Get PDF
    Data-independent Memory Hard Functions (iMHFS) are finding a growing number of applications in security; especially in the domain of password hashing. An important property of a concrete iMHF is specified by fixing a directed acyclic graph (DAG) GnG_n on nn nodes. The quality of that iMHF is then captured by the following two pebbling complexities of GnG_n: \begin{itemize} \item The parallel cumulative pebbling complexity Πcc(Gn)\Pi^{\parallel}_{cc}(G_n) must be as high as possible (to ensure that the amortized cost of computing the function on dedicated hardware is dominated by the cost of memory). \item The sequential space-time pebbling complexity Πst(Gn)\Pi_{st}(G_n) should be as close as possible to Πcc(Gn)\Pi^{\parallel}_{cc}(G_n) (to ensure that using many cores in parallel and amortizing over many instances does not give much of an advantage). \end{itemize} In this paper we construct a family of DAGs with best possible parameters in an asymptotic sense, i.e., where Πcc(Gn)=Ω(n2/log(n))\Pi^{\parallel}_{cc}(G_n)=\Omega(n^2/\log(n)) (which matches a known upper bound) and Πst(Gn)\Pi_{st}(G_n) is within a constant factor of Πcc(Gn)\Pi^{\parallel}_{cc}(G_n). Our analysis relies on a new connection between the pebbling complexity of a DAG and its depth-robustness (DR) -- a well studied combinatorial property. We show that high DR is {\em sufficient} for high Πcc\Pi^{\parallel}_{cc}. Alwen and Blocki (CRYPTO\u2716) showed that high DR is {\em necessary} and so, together, these results fully characterize DAGs with high Πcc\Pi^{\parallel}_{cc} in terms of DR. Complementing these results, we provide new upper and lower bounds on the Πcc\Pi^{\parallel}_{cc} of several important candidate iMHFs from the literature. We give the first lower bounds on the memory hardness of the Catena and Balloon Hashing functions in a parallel model of computation and we give the first lower bounds of any kind for (a version) of Argon2i. Finally we describe a new class of pebbling attacks improving on those of Alwen and Blocki (CRYPTO\u2716). By instantiating these attacks we upperbound the Πcc\Pi^{\parallel}_{cc} of the Password Hashing Competition winner Argon2i and one of the Balloon Hashing functions by O(n1.71)O\left(n^{1.71} \right). We also show an upper bound of O(n1.625)O(n^{1.625}) for the Catena functions and the two remaining Balloon Hashing functions

    Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions

    Get PDF
    A memory-hard function (MHF) fnf_n with parameter nn can be computed in sequential time and space nn. Simultaneously, a high amortized parallel area-time complexity (aAT) is incurred per evaluation. In practice, MHFs are used to limit the rate at which an adversary (using a custom computational device) can evaluate a security sensitive function that still occasionally needs to be evaluated by honest users (using an off-the-shelf general purpose device). The most prevalent examples of such sensitive functions are Key Derivation Functions (KDFs) and password hashing algorithms where rate limits help mitigate off-line dictionary attacks. As the honest users\u27 inputs to these functions are often (low-entropy) passwords special attention is given to a class of side-channel resistant MHFs called iMHFs. Essentially all iMHFs can be viewed as some mode of operation (making nn calls to some round function) given by a directed acyclic graph (DAG) with very low indegree. Recently, a combinatorial property of a DAG has been identified (called ``depth-robustness\u27\u27) which results in good provable security for an iMHF based on that DAG. Depth-robust DAGs have also proven useful in other cryptographic applications. Unfortunately, up till now, all known very depth-robust DAGs are impractically complicated and little is known about their exact (i.e. non-asymptotic) depth-robustness both in theory and in practice. In this work we build and analyze (both formally and empirically) several exceedingly simple and efficient to navigate practical DAGs for use in iMHFs and other applications. For each DAG we: - Prove that their depth-robustness is asymptotically maximal. - Prove bounds of at least 33 orders of magnitude better on their exact depth-robustness compared to known bounds for other practical iMHF. - Implement and empirically evaluate their depth-robustness and aAT against a variety of state-of-the art (and several new) depth-reduction and low aAT attacks. We find that, against all attacks, the new DAGs perform significantly better in practice than Argon2i, the most widely deployed iMHF in practice. Along the way we also improve the best known empirical attacks on the aAT of Argon2i by implementing and testing several heuristic versions of a (hitherto purely theoretical) depth-reduction attack. Finally, we demonstrate practicality of our constructions by modifying the Argon2i code base to use one of the new high aAT DAGs. Experimental benchmarks on a standard off-the-shelf CPU show that the new modifications do not adversely affect the impressive throughput of Argon2i (despite seemingly enjoying significantly higher aAT)

    The Parallel Reversible Pebbling Game: Analyzing the Post-Quantum Security of iMHFs

    Get PDF
    The classical (parallel) black pebbling game is a useful abstraction which allows us to analyze the resources (space, space-time, cumulative space) necessary to evaluate a function ff with a static data-dependency graph GG. Of particular interest in the field of cryptography are data-independent memory-hard functions fG,Hf_{G,H} which are defined by a directed acyclic graph (DAG) GG and a cryptographic hash function HH. The pebbling complexity of the graph GG characterizes the amortized cost of evaluating fG,Hf_{G,H} multiple times as well as the total cost to run a brute-force preimage attack over a fixed domain X\mathcal{X}, i.e., given y{0,1}y \in \{0,1\}^* find xXx \in \mathcal{X} such that fG,H(x)=yf_{G,H}(x)=y. While a classical attacker will need to evaluate the function fG,Hf_{G,H} at least m=Xm=|\mathcal{X}| times a quantum attacker running Grover\u27s algorithm only requires O(m)\mathcal{O}(\sqrt{m}) blackbox calls to a quantum circuit CG,HC_{G,H} evaluating the function fG,Hf_{G,H}. Thus, to analyze the cost of a quantum attack it is crucial to understand the space-time cost (equivalently width times depth) of the quantum circuit CG,HC_{G,H}. We first observe that a legal black pebbling strategy for the graph GG does not necessarily imply the existence of a quantum circuit with comparable complexity --- in contrast to the classical setting where any efficient pebbling strategy for GG corresponds to an algorithm with comparable complexity for evaluating fG,Hf_{G,H}. Motivated by this observation we introduce a new parallel reversible pebbling game which captures additional restrictions imposed by the No-Deletion Theorem in Quantum Computing. We apply our new reversible pebbling game to analyze the reversible space-time complexity of several important graphs: Line Graphs, Argon2i-A, Argon2i-B, and DRSample. Specifically, (1) we show that a line graph of size NN has reversible space-time complexity at most O(N1+2logN)\mathcal{O}\left(N^{1+\frac{2}{\sqrt{\log N}}}\right). (2) We show that any (e,d)(e,d)-reducible DAG has reversible space-time complexity at most O(Ne+dN2d)\mathcal{O}(Ne+dN2^d). In particular, this implies that the reversible space-time complexity of Argon2i-A and Argon2i-B are at most O(N2loglogN/logN)\mathcal{O}(N^2 \log \log N/\sqrt{\log N}) and O(N2/logN3)\mathcal{O}(N^2/\sqrt[3]{\log N}), respectively. (3) We show that the reversible space-time complexity of DRSample is at most O(N2loglogN/logN)\mathcal{O}(N^2 \log \log N/\log N). We also study the cumulative pebbling cost of reversible pebblings extending a (non-reversible) pebbling attack of Alwen and Blocki on depth-reducible graphs
    corecore