On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model

Alwen, Joël; Chen, Binyi; Kamath, Chethan; Kolmogorov, Vladimir; Pietrzak, Krzysztof; Tessaro, Stefano

doi:10.1007/978-3-662-49896-5_13

Cited by 26 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, the cost of purchasing/renting hardware for password cracking, approximated by a functions Area x Time (AT) complexity, can be substantial for an attacker. Specifically, AT complexity of SCRYPT [9], scales quadratically with the number of time steps [39]. Thus, as discussed in Section 2, we estimate k $ = τC H + τ 2 C mem , where C H ≈ $7 × 10 −15 [29] and C mem ≈ C H 3000 as in [30], [31].…”

Section: Memory Hard Functionsmentioning

confidence: 99%

“…Data dependent MHFs such as SCRYPT [9] have the previously mentioned side-channel vulnerabilities. Even so, SCRYPT has been found to be optimally memory hard with respect to AT complexity [39], [89]. The authors of Argon2 [18], winner of the password hashing competition [8], now recommend running in hybrid mode Argon2id to balance side-channel resistance and resistance to iMHF attacks.…”

Section: Data (In)dependent Memory Hard Functionsmentioning

confidence: 99%

See 1 more Smart Citation

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with 10 5 hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker -if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of 500 million cracked passwords is less than 100 times the total value of 5 million passwords). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. In particular, we find that because MHFs substantially increase guessing costs a rational attacker will give up well before he cracks most user passwords and this prediction holds even if the attacker does not encounter diminishing returns for additional cracked passwords. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.

show abstract

Section: Memory Hard Functionsmentioning

confidence: 99%

Section: Data (In)dependent Memory Hard Functionsmentioning

confidence: 99%

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…We remark that the way our hard function f RO makes use of the random oracle is quite standard and analogous to several existing cryptographic constructions (e.g., [4,5,52]), so it is unlikely that the random oracle methodology fails to apply to our hard function f RO (see more discussion in Section 1.2). Thus, one way to interpret our result is that either f h indeed shows a fundamental limitation of parallelization in the MPC model, or gives a natural counter-example for the random oracle methodology (which would be surprising).…”

Section: Our Results and Techniquesmentioning

confidence: 99%

“…There exists a universal constant c > 1 such that for any sufficiently large n > 0, let RO : {0, 1} n → {0, 1} n be a random oracle and for any n ≤ S < 2 O(n ) and S ≤ T < 2 O(n 14 ) , consider the function Line RO n,w,u,v : {0, 1} uv → {0, 1} n where w = T , v = S/u and u = n/3. Let A RO be a deterministic massively parallel computation with m < 2 O(n ) machines, local memory of size s ≤ S/c and a number of at most q < 2 n/4 random oracle queries per round per machine.…”

mentioning

confidence: 99%

On the Hardness of Massively Parallel Computation

Chung

Sun

2020

Proceedings of the 32nd ACM Symposium on Parallelism in Algorithms and Architectures

View full text Add to dashboard Cite

We investigate whether there are inherent limits of parallelization in the (randomized) massively parallel computation (MPC) model by comparing it with the (sequential) RAM model. As our main result, we show the existence of hard functions that are essentially not parallelizable in the MPC model. Based on the widely-used random oracle methodology in cryptography with a cryptographic hash function h : {0, 1} n → {0, 1} n computable in time t h , we show that there exists a function that can be computed in time O(T • t h) and space S by a RAM algorithm, but any MPC algorithm with local memory size s < S/c for some c > 1 requires at least Ω(T) 1 rounds to compute the function, even in the average case, for a wide range of parameters n ≤ S ≤ T ≤ 2 n 1/4. Our result is almost optimal in the sense that by taking T to be much larger than t h , e.g., T to be sub-exponential in t h , to compute the function, the round complexity of any MPC algorithm with small local memory size is asymptotically the same (up to a polylogarithmic factor) as the time complexity of the RAM algorithm. Our result is obtained by adapting the so-called compression argument from the data structure lower bounds and cryptography literature to the context of massively parallel computation.

show abstract

“…Balloon is a data-independent memory-hard PHS that provides higher security than the first version of Argon2i. Balloon is based on random sandwich graphs [22,104]. The t_cost parameter determines the number of rounds of computation and can be increased to enhance security without affecting the memory requirements.…”

Section: Balloon Phsmentioning

confidence: 99%

Password-Hashing Status

Hatzivasilis

2017

Cryptography

View full text Add to dashboard Cite

Computers are used in our everyday activities, with high volumes of users accessing provided services. One-factor authentication consisting of a username and a password is the common choice to authenticate users in the web. However, the poor password management practices are exploited by attackers that disclose the users' credentials, harming both users and vendors. In most of these occasions the user data were stored in clear or were just processed by a cryptographic hash function. Password-hashing techniques are applied to fortify this user-related information. The standardized primitive is currently the PBKDF2 while other widely-used schemes include Bcrypt and Scrypt. The evolution of parallel computing enables several attacks in password-hash cracking. The international cryptographic community conducted the Password Hashing Competition (PHC) to identify new efficient and more secure password-hashing schemes, suitable for widespread adoption. PHC advanced our knowledge of password-hashing. Further analysis efforts revealed security weaknesses and novel schemes were designed afterwards. This paper provides a review of password-hashing schemes until the first quarter of 2017 and a relevant performance evaluation analysis on a common setting in terms of code size, memory consumption, and execution time.

show abstract

On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model

Cited by 26 publications

References 8 publications

On the Economics of Offline Password Cracking

On the Economics of Offline Password Cracking

On the Hardness of Massively Parallel Computation

Password-Hashing Status

Contact Info

Product

Resources

About