Towards Practical Attacks on Argon2i and Balloon Hashing

2017 IEEE European Symposium on Security and Privacy (EuroS&P) Pub Date : 2017-04-26 DOI:10.1109/EuroSP.2017.47

J. Alwen, Jeremiah Blocki

{"title":"Towards Practical Attacks on Argon2i and Balloon Hashing","authors":"J. Alwen, Jeremiah Blocki","doi":"10.1109/EuroSP.2017.47","DOIUrl":null,"url":null,"abstract":"The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being considered by the IRTF (Internet Research Task Force) as a new de-facto standard for password hashing. An older version (Argon2i-A) of the same algorithm was chosen as the winner of the recent Password Hashing Competition. An important competitor to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs, Boneh and Schechter. A key security desiderata for any such algorithm is that evaluating it (even using a custom device) requires a large amount of memory amortized across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of theoretical attacks against Argon2i-A and BH. While these attacks yield large asymptotic reductions in the amount of memory, it was not, a priori, clear if (1) they can be extended to the newer Argon2i-B, (2) the attacks are effective on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3) if they can be effectively instantiated against any algorithm under realistic hardware constrains. In this work we answer all three of these questions in the affirmative for all three algorithms. This is also the first work to analyze the security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe asymptotic deficiencies in its security. Next we introduce several novel heuristics for improving the attack's concrete memory efficiency even when on-chip memory bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A, Argon2i-B and BH instances and measure the resulting memory consumption for various practical parameter ranges and for a variety of upperbounds on the amount of parallelism available to the attacker. Finally we describe, implement, and test a new heuristic for applying the Alwen-Blocki attack to functions employing a technique developed by Corrigan-Gibs et al. for improving concrete security of memory-hard functions. We analyze the collected data and show the effects various parameters have on the memory consumption of the attack. In particular, we can draw several interesting conclusions about the level of security provided by these functions. ● For the Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must be instantiated with more than 10 passes on memory — beyond the \"paranoid\" parameter setting in the current IRTF proposal. ● The technique of Corrigan-Gibs for improving security can also be overcome by the Alwen-Blocki attack under realistic hardware constraints. ● On a positive note, both the asymptotic and concrete security of Argon2i-B seem to improve on that of Argon2i-A.","PeriodicalId":233564,"journal":{"name":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-04-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"33","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EuroSP.2017.47","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 33

Abstract

The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being considered by the IRTF (Internet Research Task Force) as a new de-facto standard for password hashing. An older version (Argon2i-A) of the same algorithm was chosen as the winner of the recent Password Hashing Competition. An important competitor to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs, Boneh and Schechter. A key security desiderata for any such algorithm is that evaluating it (even using a custom device) requires a large amount of memory amortized across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of theoretical attacks against Argon2i-A and BH. While these attacks yield large asymptotic reductions in the amount of memory, it was not, a priori, clear if (1) they can be extended to the newer Argon2i-B, (2) the attacks are effective on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3) if they can be effectively instantiated against any algorithm under realistic hardware constrains. In this work we answer all three of these questions in the affirmative for all three algorithms. This is also the first work to analyze the security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe asymptotic deficiencies in its security. Next we introduce several novel heuristics for improving the attack's concrete memory efficiency even when on-chip memory bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A, Argon2i-B and BH instances and measure the resulting memory consumption for various practical parameter ranges and for a variety of upperbounds on the amount of parallelism available to the attacker. Finally we describe, implement, and test a new heuristic for applying the Alwen-Blocki attack to functions employing a technique developed by Corrigan-Gibs et al. for improving concrete security of memory-hard functions. We analyze the collected data and show the effects various parameters have on the memory consumption of the attack. In particular, we can draw several interesting conclusions about the level of security provided by these functions. ● For the Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must be instantiated with more than 10 passes on memory — beyond the "paranoid" parameter setting in the current IRTF proposal. ● The technique of Corrigan-Gibs for improving security can also be overcome by the Alwen-Blocki attack under realistic hardware constraints. ● On a positive note, both the asymptotic and concrete security of Argon2i-B seem to improve on that of Argon2i-A.

查看原文本刊更多论文

对Argon2i和气球哈希的实际攻击

Biryukov, Dinu和Khovratovich的算法Argon2i-B目前正在被IRTF(互联网研究任务组)考虑作为密码散列的新事实上的标准。相同算法的旧版本(Argon2i-A)被选为最近密码哈希竞赛的获胜者。Argon2i-B的一个重要竞争对手是最近推出的Corrigan-Gibs, Boneh和Schechter的气球哈希(BH)算法。对于任何这样的算法，一个关键的安全需求是，评估它(即使使用自定义设备)需要在多个实例上分摊大量内存。Alwen和Blocki (CRYPTO 2016)介绍了一类针对Argon2i-A和BH的理论攻击。虽然这些攻击在内存数量上产生了大量的渐近减少，但它并不先验地清楚，如果(1)它们可以扩展到较新的Argon2i-B，(2)攻击对实际参数范围(例如，1GB内存)的任何算法有效，以及(3)如果它们可以在实际硬件约束下有效地针对任何算法实例化。在这项工作中，我们以肯定的方式回答了这三个问题。这也是首次对Argon2i-B的安全性进行分析。更详细地说，我们将Alwen和Blocki (CRYPTO 2016)的理论攻击扩展到最近的Argon2i-B提案，证明其安全性存在严重的渐近缺陷。接下来，我们介绍了几种新的启发式方法，即使在片上存储带宽有限的情况下，也可以提高攻击的具体内存效率。然后我们在随机采样的Argon2i-A, Argon2i-B和BH实例上模拟我们的攻击，并测量各种实际参数范围和攻击者可用的并行量的各种上限的内存消耗。最后，我们描述、实现并测试了一种新的启发式算法，该算法采用Corrigan-Gibs等人开发的技术，用于将Alwen-Blocki攻击应用于函数，以提高内存硬函数的具体安全性。我们分析了收集到的数据，并展示了各种参数对攻击内存消耗的影响。特别是，我们可以得出关于这些函数提供的安全级别的几个有趣的结论。对于Alwen-Blocki攻击失败的实际内存参数，Argon2i-B必须实例化超过10次内存传递-超过当前IRTF提案中的“偏执”参数设置。●Corrigan-Gibs提高安全性的技术也可以在现实硬件约束下被Alwen-Blocki攻击所克服。从积极的方面来看，Argon2i-B的渐近和具体安全性似乎都比Argon2i-A有所提高。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE European Symposium on Security and Privacy (EuroS&P)

自引率

0.00%

发文量