Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions

Alwen, Joël; Blocki, Jeremiah; Harsha, Ben

doi:10.1145/3133956.3134031

Cited by 41 publications

(36 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While solid options for password hashing and keyderivation exist [9], [8], [18], [87] the reality is that many organizations and developers select suboptimal password hashing functions [92], [19]. Thus, there is a clear need to provide developers with clear guidance about selecting secure password hash functions.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with 10 5 hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker -if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of 500 million cracked passwords is less than 100 times the total value of 5 million passwords). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. In particular, we find that because MHFs substantially increase guessing costs a rational attacker will give up well before he cracks most user passwords and this prediction holds even if the attacker does not encounter diminishing returns for additional cracked passwords. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.

show abstract

Section: Discussionmentioning

confidence: 99%

“…These functions have a data access pattern independent of the input. Multiple attacks have been shown in several iMHFs [30], [84], [31], [85], [86], [87], [88]. Data dependent MHFs such as SCRYPT [9] have the previously mentioned side-channel vulnerabilities.…”

Section: Data (In)dependent Memory Hard Functionsmentioning

confidence: 99%

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…In fact, our results only establish worst case hardness of graph pebbling. We cannot rule out the existance of efficient algorithms to find optimal pebblings for practical iMHF proposals such as Argon2i [BDK16] and DRSample [ABH17]. The primary remaining challenge is to either give an efficient α-approximation algorithm to find a pebbling P ∈ P with cc(P ) ≤ αΠ cc (G) or show that Π cc (G) is hard to approximate.…”

Section: Discussionmentioning

confidence: 99%

“…However, they could not rule out the possibility that more efficient attacks might exist 4 . As it stands, there is a huge gap between the best known upper/lower bounds on Π cc (G) for Argon2i and for the new DRSample graph [ABH17], since in all practical cases the ratio between the upper bound and the lower bound is at least 10 5 . An efficient algorithm to (approximately) compute Π cc (G) would allow us to immediately resolve such debates by automatically generating upper/lower bounds on the cost of computing the iMHF for each running time parameters (n) that one might select in practice.…”

Section: Motivationmentioning

confidence: 99%

On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling

Blocki

Zhou

2018

Financial Cryptography and Data Security

Self Cite

View full text Add to dashboard Cite

We consider the computational complexity of finding a legal black pebbling of a DAG G = (V, E) with minimum cumulative cost. A black pebbling is a sequence P0, . . . , Pt ⊆ V of sets of nodes which must satisfy the following properties: P0 = ∅ (we start off with no pebbles on G), sinks(G) ⊆ j≤t Pj (every sink node was pebbled at some point) and parents Pi+1\Pi ⊆ Pi (we can only place a new pebble on a node v if all of v's parents had a pebble during the last round). The cumulative cost of a pebbling P0, P1, . . . , Pt ⊆ V is cc(P ) = |P1| + . . . + |Pt|. The cumulative pebbling cost is an especially important security metric for data-independent memory hard functions, an important primitive for password hashing. Thus, an efficient (approximation) algorithm would be an invaluable tool for the cryptanalysis of password hash functions as it would provide an automated tool to establish tight bounds on the amortized space-time cost of computing the function. We show that such a tool is unlikely to exist in the most general case. In particular, we prove the following results.-It is NP-Hard to find a pebbling minimizing cumulative cost.-The natural linear program relaxation for the problem has integrality gapÕ(n), where n is the number of nodes in G. We conjecture that the problem is hard to approximate. -We show that a related problem, find the minimum size subset S ⊆ V such that depth(G−S) ≤ d, is also NP-Hard. In fact, under the Unique Games Conjecture there is no (2 − ǫ)-approximation algorithm.3 Because the data-dependencies in an iMHF are specified by a static graph, the induced memory access pattern does not depend on the secret input (e.g., password). This makes iMHFs resistant to side-channel attacks. Data-dependent memory hard functions (MHFs) like scrypt [Per09] are potentially easier to construct, but they are potentially vulnerable to cache-timing attacks.10 The specification of Argon2i has changed several times. We use Argon2i-A to refer to the version of Argon2i from the password hashing competition, and we use Argon2i-B to refer to the version that is currently being considered for standardization by the Cryptography Form Research Group (CFRG) of the IRTF[BDKJ16].

show abstract

“…Our PIE is a graph-based file transformation. It depends on a new construct we call a Dagwood Sandwich Graph (DSaG), 2 an iterated interleaving of a depth-robust graph (DRG) with a superconcentrator [53]. Intuitively, a DRG is a directed acyclic graph that retains a long path even if an adversary removes a many nodes.…”

Section: A Public Incompressible Encoding (Pie)mentioning

confidence: 99%

PIEs

Cecchetti

Fisch

Miers

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

We present a new primitive supporting file replication in distributed storage networks (DSNs) called a Public Incompressible Encoding (PIE). PIEs operate in the challenging public DSN setting where files must be encoded and decoded with public randomness-i.e., without encryption-and retention of redundant data must be publicly verifiable. They prevent undetectable data compression, allowing DSNs to use monetary rewards or penalties in incentivizing economically rational servers to properly replicate data. Their definition also precludes critical, demonstrated attacks involving parallelism via ASICs and other custom hardware.Our PIE construction is the first to achieve experimentally validated near-optimal performance-within a factor of 4 of optimal by one metric. It also allows decoding orders of magnitude faster than encoding, unlike other comparable constructions. We achieve this high security and performance using a graph construction called a Dagwood Sandwich Graph (DSaG), built from a novel interleaving of depth-robust graphs and superconcentrators.PIEs' performance makes them appealing for DSNs, such as the proposed Filecoin system and Ethereum data sharding. Conversely, their near-optimality establishes concerning bounds on the practical financial and energy costs of DSNs allowing arbitrary data. CCS CONCEPTS• Security and privacy → Distributed systems security.

show abstract

Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions

Cited by 41 publications

References 2 publications

On the Economics of Offline Password Cracking

On the Economics of Offline Password Cracking

On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling

PIEs

Contact Info

Product

Resources

About