argon2 and egalitarian computing - cryptolux · argon2 and egalitarian computing alex biryukov...
TRANSCRIPT
![Page 1: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/1.jpg)
Argon2 and Egalitarian Computing
Alex Biryukov Dmitry Khovratovich
University of Luxembourg
January 7th, 2016
![Page 2: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/2.jpg)
I. Unfair battle
![Page 3: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/3.jpg)
Attack-defence paradigm
Attackers have always been more powerful than defenders:
• Large and variable resources;
• One weakness is sufficient;
• Can spend much time.
![Page 4: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/4.jpg)
Attack-defence paradigm
Defenders can
• Harden the protection (e.g. increase the key length);
• Sometimes restrict the attack vector (e.g. limit the exposuretime).
Secure cryptographic algorithm with sufficient key length –solution for many confidentiality, integrity, signatures, etc..
![Page 5: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/5.jpg)
Keyless setting
Sometimes, however, we do not have (long) keys.
• Reliance on human memory (password-based data protection,password-based authentication, PINs, etc.);
Brute-force attacks become possible (e.g., guess a PIN).
Moreover, integrity might become a problem in
• Unencrypted networks (P2P, blockchain).
![Page 6: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/6.jpg)
Understanding brute-force
Brute-force attacks (such as key guessing) are most efficient oncustom hardware: multiple computing cores on large ASICs.
Practical example of SHA-2 hashing (Bitcoin):
• 232 hashes/joule on ASIC;
• 217 hashes/joule on laptop.
Consequences
• Keys lose 15 bits;
• Passwords become 3 lowercase letters shorter;
• PINs lose 5 digits.
ASIC-equipped attackers are the threat from the near future.
ASICs have high entry costs, but FPGA and GPU are employedtoo.
![Page 7: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/7.jpg)
Understanding brute-force
Brute-force attacks (such as key guessing) are most efficient oncustom hardware: multiple computing cores on large ASICs.
Practical example of SHA-2 hashing (Bitcoin):
• 232 hashes/joule on ASIC;
• 217 hashes/joule on laptop.
Consequences
• Keys lose 15 bits;
• Passwords become 3 lowercase letters shorter;
• PINs lose 5 digits.
ASIC-equipped attackers are the threat from the near future.
ASICs have high entry costs, but FPGA and GPU are employedtoo.
![Page 8: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/8.jpg)
Understanding brute-force
Brute-force attacks (such as key guessing) are most efficient oncustom hardware: multiple computing cores on large ASICs.
Practical example of SHA-2 hashing (Bitcoin):
• 232 hashes/joule on ASIC;
• 217 hashes/joule on laptop.
Consequences
• Keys lose 15 bits;
• Passwords become 3 lowercase letters shorter;
• PINs lose 5 digits.
ASIC-equipped attackers are the threat from the near future.
ASICs have high entry costs, but FPGA and GPU are employedtoo.
![Page 9: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/9.jpg)
We need to slow down such attackers withoutburdening the defenders.
![Page 10: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/10.jpg)
II. Argon2 for passwords
![Page 11: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/11.jpg)
Password-based authentication
Keyless password authentication:• User registers with name l and password p;• Server selects hash function H, generates salt s, and stores
(l ,H(s, p));• User sends (l , p′) during the login;• Server matches (l ,H(s, p′)) with its password file.
Problems:
• Password files are often leakedunencrypted;
• Passwords have low entropy(”123456”);
• Regular cryptographic hashfunctions are cracked onGPU/FPGA/ASIC;
• Many iterations of SHA-256 dolittle help as this slows downeveryone.
![Page 12: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/12.jpg)
Password-based authentication
Keyless password authentication:• User registers with name l and password p;• Server selects hash function H, generates salt s, and stores
(l ,H(s, p));• User sends (l , p′) during the login;• Server matches (l ,H(s, p′)) with its password file.
Problems:
• Password files are often leakedunencrypted;
• Passwords have low entropy(”123456”);
• Regular cryptographic hashfunctions are cracked onGPU/FPGA/ASIC;
• Many iterations of SHA-256 dolittle help as this slows downeveryone.
![Page 13: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/13.jpg)
Solution
Since 2003, memory-intensive computations have been proposed.
Computing with a lot of memory would require a very large andexpensive chip.
Memory
Core
With large memory on-chip, the ASIC advantage vanishes.
![Page 14: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/14.jpg)
Time-space tradeoffs and memory-hardness
Clearly, there should be no memoryless equivalent (thusmemory-hardness).
Time-space tradeoff: how time grows if space is reduced.
Time
Space
Normal computation
S
T
T = f (1/S).
Linear f means equal trading of space for time. We want f to besuperpolynomial.
![Page 15: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/15.jpg)
Password Hashing Competition (2013-2015)
Requirements for a new scheme:
• Maximum cracking cost per password on all platforms;
• Tunable time, memory parameters.
• Security against time-space tradeoffs;
• Transparent design;
• Flexibility.
• Ideally, side-channel protection (missing in scrypt) and tunableparallelism.
Timeline
• 2013: Call for submissions.
• Feb 2014: 24 submissions.
• Dec 2014: 9 second-phase candidates.
• Jul 2015: 1 winner (Argon2), 4 special recognitions: Catena,Lyra2, yescrypt and Makwa (delegation hashing).
![Page 16: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/16.jpg)
How we designed Argon2
![Page 17: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/17.jpg)
Design of Argon2
To facilitate analysis, we selected the simplest secure mode ofoperation:
G GG
ii− 1 i+ 1φ(i+ 1)φ(i)
• Fill memory blockwise;
• Each block is a function of a previous and some older(reference) block;
• The reference index may (better tradeoff protection) or maynot (side-channel protection) depend on the input;
• Weak and wide compression function G .
![Page 18: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/18.jpg)
Argon2 unleashed
p lanes
4 slices
Password
Salt
ContextH H
Tag
Properties:
• Preimage and collision resistance;
• Adjustable and inseparable parallelism;
• Core: larger and shorter variant (1/5) of Blake2b;
• Exponential time-space tradeoff.
Any part of the Argon2 chain is memory-hard.
![Page 19: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/19.jpg)
Performance
We took a number of steps to speed up the memory filling on thex64 architecture:
• Wide registers and SIMD instructions;
• 1 KB blocks;
• Number of Blake2 rounds balanced with the memory latency.
Multithreaded Argon2 securely fills memory at 0.65 cycles/byte.
Memory bandwidth up to 5.5 GB/sec.
Try
https://github.com/P-H-C/phc-winner-argon2 [C89]
https://github.com/khovratovich/Argon2 [C++11]
![Page 20: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/20.jpg)
Apparently, this method of slowing down passwordcrackers has other applications...
![Page 21: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/21.jpg)
III. Egalitarian computing
![Page 22: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/22.jpg)
Why egalitarian
Bitcoin dream
• An egalitarian currency where every user could mine money onhis own laptop...
...and reality:
• A bunch of users with factory-size rigs and their own powerplants control > 50% of network in a single pool.
![Page 23: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/23.jpg)
Why egalitarian
Bitcoin dream
• An egalitarian currency where every user could mine money onhis own laptop...
...and reality:
• A bunch of users with factory-size rigs and their own powerplants control > 50% of network in a single pool.
![Page 24: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/24.jpg)
Slowing brute-force
Argon2 ensures that both defenders and attackers hash passwordson the same platform (x86).
This is desirable for some other tasks to slow down brute force oncustom hardware:
• Password-based protocols (key agreement, secret sharing);
• Password-based encryption;
• Proofs of work for cryptocurrencies/blockchain;
• Client puzzles for denial-of-service protection.
Proof-of-work – a certificate that confirms that the prover made acertain amount of computations (typically to slow him down forcertain time). Clearly the cost of the work must not fluctuateacross platforms.
![Page 25: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/25.jpg)
Slowing brute-force
Argon2 ensures that both defenders and attackers hash passwordson the same platform (x86).
This is desirable for some other tasks to slow down brute force oncustom hardware:
• Password-based protocols (key agreement, secret sharing);
• Password-based encryption;
• Proofs of work for cryptocurrencies/blockchain;
• Client puzzles for denial-of-service protection.
Proof-of-work – a certificate that confirms that the prover made acertain amount of computations (typically to slow him down forcertain time). Clearly the cost of the work must not fluctuateacross platforms.
![Page 26: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/26.jpg)
Equihash
Memory-hard proof-of-work based on Generalized Birthday(k-XOR) problem [NDSS 2016]
I
AWagner’salgorithm
HDifficultyfilter
V
(x1, x2, . . .)
0
n, k
for 2k-XOR
?
x86/GPU-oriented 700-MB proof is 120 bytes long.
Good for ASIC-resistant client puzzles.
Apparently, any NP-complete problem is a natural candidate for amemory-hard proof-of-work...
![Page 27: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/27.jpg)
Egalitarian computing
Egalitarian computing ensures that legitimateusers and attackers are equal as they are forced touse the same platform.
![Page 28: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/28.jpg)
How?
Suppose you develop a scheme where the exact output value isnot important (encryption, signature, etc.).
Amalgamate the computation with a memory-hard functionsuch as Argon2.
If you already use some CPU time, why not using the availablememory for that period?
![Page 29: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/29.jpg)
Alteration
Alter the computing: inject memory-hard blocks in between thesubfunction calls.
Argon2
h1 h2 hT
In Out
h1 h2 hT
In Out
Maybe even feed them back to Argon2 (may need stregthening thecompression function).
![Page 30: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/30.jpg)
Memory-hard encryption
![Page 31: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/31.jpg)
Memory-hard encryption
Password-based disk encryption:
• Encryption by chunks with password-based key;
• Trial decryption requires only a few blockcipher calls;
• Passwords can be tried offline.
We propose to bind it to a memory-hard function to makeencryption and decryption run on the same hardware andnon-outsourceable.
![Page 32: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/32.jpg)
Memory-hard encryption
Disk encryption with memory-hard function based on Zaverucha’sidea of using All-or-Nothing transform (or another scheme withoutonline decryption):
pwd H
HK1
random
m1
C′′1
E
C′′2
m2
K0
H
C1 C2 Cq+1
Argon2
header body
K1 K1
K0 K0
ECBE
ECB
ECBC
ECBC
ECBC
• Any chunk size;• Any memory size;• No way to precompute either part.
![Page 33: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/33.jpg)
MTP: memory-hard proof-of-work based on Argon2
The PC-oriented 2 GB-proof is 180 KB long (faster but longerthan Equihash).
I
Argon2
Φ
Merkle tree
N
H
Nonce
i1
H
i1
iL
H
iL
Y
d trailing zeros?No Yes
Open 2L blocks
Parallelism inevitable so bandwidth-hardness.
![Page 34: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/34.jpg)
New world
Egalitarian computing
• deems 6-letter passwords secure;
• brings back 80-bit keys;
• renders DoS attacks harder;
• suffrages blockchain users.
It is a chance to revert Moore’s law.
![Page 35: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/35.jpg)
Cryptography
Some dirty crypto in
• Tradeoff (time-space) cryptanalysis (Asiacrypt 2015);
• Memory-hardness proofs (ePrint on scrypt);
• Memory-hard modes of operation (Argon2 – Euro S&P 2016);
• Asymmetric proof-of-work based on (NP-)hard problems(NDSS 2016);
• Memory-hard obfuscation and white-box cryptography(Asiacrypt 2014).
![Page 36: Argon2 and Egalitarian Computing - CryptoLUX · Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016](https://reader030.vdocument.in/reader030/viewer/2022021612/5b5a17da7f8b9aa30c8b5a3a/html5/thumbnails/36.jpg)
God may have made men, but Samuel Colt madethem equal
Use Egalitarian Computing