Memory Hard Jol Alwen Binyi Chen IST Austria UCSB Krzysztof - - PowerPoint PPT Presentation
Scrypt is Maximally Memory Hard Jol Alwen Binyi Chen IST Austria UCSB Krzysztof Pietrzak Leonid Reyzin Stefano Tessaro IST Austria Boston University UCSB Password hashing: Store a hash of a password + salt
JoΓ«l Alwen IST Austria Krzysztof Pietrzak IST Austria Leonid Reyzin Boston University Stefano Tessaro UCSB Binyi Chen UCSB
password salt
Password hashing: Store a hash of a password + salt
F(salt || password)
F is moderately hard
Honest users can still login quickly. Brute-force attack is infeasible.
Traditional hardness metric: Time complexity (e.g., PKCS #5)
β 1 evaluation of F Many evaluations of F
$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/
Honest users (General-purpose CPU) cost per F eval = π« Adversaries (ASICs) cost per F eval = π«β² βͺ π«
better parallelization, pipelining for speedup; lower energy costs β¦
Idea: Memory costs (e.g., on-chip area, access time, $-cost) are platform independent
Fast evaluation of MHF F β large memory Small memory β slow evaluation of MHF F
π
π
Memory usage Time
[Alwen and Serbinenko, STOC β15]
Goal: Maximize cumulative memory complexity (CMC) for any (possibly parallelized) strategy to evaluate F.
Time needed to evaluate F
Memory-hardness was de- facto requirement for PHC
Many memory-hard candidates: Argon2d, Argon2i, Scrypt, Lyra2, Balloon hashing, Catena, Yescrypt, β¦β¦
(1) No iMHF achieves optimal memory hardness.
memory π½1 π1
MHF
π½2 π2
MHF
memory
Previous provably MHFs [AS15,BCS16,ABP17] are iMHFs: data-independent memory access patterns!
(2) Practical iMHFs are even less memory hard for parallel evaluation strategies.
+ it is practical, already in use, and relatively simple
π π
π
π1 π2 ππβ1 πΆ0 π0 πΆ0 ππππ£π² π0
π·0 = πΆ0 mod π
πΆ1
π·1 = πΆ1 mod π
π: A Salsa20 based βhash functionβ
with output length π.
π«π = π π«π = π β π input
π: a tunable parameter.
e.g., π = 214, π₯ = 1 KB Modeled as a random oracle! πΆ2
π·2 π·πβ1
π π
π3
π
ππβ2
π π
πΆ3
π·3
π π
π+1
complete the evaluation
challenge π«π π«π = π β 1 π«π revealed! π«πβπ learnt after answering all π«π
π
π1 π2 ππβ1 πΆ0 π0 πΆ0 ππππ£π² π0 πΆ1
π«π = π π«π = π β π input
πΆ2
π π
π3
π
ππβ2
π π π
πΆ3
π
π«π
π
π·
π β΅ {0,1, β¦ , π β 1}
ππ·π
Adversary Challenger
For all round π = 0, β¦ , π β 1:
π π·
π
Adversaryβs goal: Reduce its own CMC for answering all challenges! CMC = Cumulative Memory Complexity = Οπ’=0
π
Memory(π’)
π
π1 π2 ππβ1 π0
input
π π
π3 ππβ2
π
Abstract 2nd phase: challenges are π-dependent
π
π4
random!
Init: Mem 0 β π0 for π = 1, β¦ , π do Mem π β π(Mem π β 1 ) Upon challenge π·
π: return Mem[π· π]
Memory
π·0 π·1
β¦
π·2 π·πβ1
Ξ(π) Ξ(π Γ π₯)
CMC = Ξ©(π2π₯)
π·
π
ππ·π
For round π = 0 to π β 1 : remember it!
Upon challenge π·
π:
π = π0 for π = 1, β¦ , π·
π do π β π(π)
return π
Expected= Ξ(π)
CMC = Ξ©(π2π₯)
π·
π
ππ·π
For round π = 0 to π β 1 : Memory
π·0 π·1
β¦
π·2 π·πβ1 π·3
again!
Memory
π·0 π·1
β¦
π·2 π·πβ1 π·3
Memory
π·0π·1
β¦
π·2 π·πβ1
Previous two strategies are special cases: consistent memory size More general strategy: memory consumption can vary a lot
e.g., forget values, re-compute afterward
π«π π«π β¦β¦ Memory π«π Time
NaΓ―ve strategy Memory-less strategy CMC = Ξ©(π2π₯) CMC = Ξ©(π2π₯)
Goal: prove CMC = Ξ©(π2π₯)!
large memory at the time a challenge is revealed reduce memory afterward
π
1
ππ=time to answer the π-th challenge
Memory challenge π«π π«π
Intuition: Answering challenge fast requires large state!
Time
answer quickly β large initial state small initial state β answer slowly
π«π
Simplifying assumption: upon learning challenge π·
π,
adversary only stores π of the values π0, β¦ , ππβ1
Fact: Avg-distance from ππ·π to closest stored ππ preceding ππ·π is π/2π
π0
π
π1 π2 π3 π4 π5 π6 π7 π8 π9
π = 10, π = 3 π·
π
dist = 3
Regardless of parallelism, as computation of π-values is inherently sequential!
β|memory|
stored
e.g., XOR of ππ values, halves of ππ, reconstruct information adaptively on challenges, etc.
single-shot memory-time trade-off not enough!
[ACKKPT16] considered restricted strategies and exhibited round games where general storing strategies can help! [ACKKPT16] only shows CMC = Ξ©(
π2π₯ log2(π))
see the paper!
Model, theorem, and proof approach
π1 ππ
π
π0 π [Alwen and Serbinenko, STOC β15] ROMix(π0)
π
new state initial state
arbitrary computation
π2
π
new state
arbitrary computation
1 25 β π2 β (π₯ β 4 β log(π))
NaΓ―ve strategy: Make π calls, remember all outputs
The memory-time trade-off holds true for adv storing π-values even if the adv stores arbitrary information!
Memory
challenge π«π π«π+π
ππ=time to answer the π-th challenge Green (memory usage at this step) is inversely proportional to orange (ππ)
π
π
β₯ Ξ©(ππ₯)
recover ππ· π: arbitrary computation on π-outputs
XOR of {ππ} values, halves of ππ Goal: Lower bound |π| as function of π and π
state
[This result]: computation on π-outputs cannot help for Scrypt!
π·
π
π1 π2 ππβ1 π0
input
π π
π3 ππβ2
π π
π4
[ACKKPT16]: computation on π-outputs can help in some round games
recover ππ·
π·
π·
π
π1 π2 ππβ1 π0
input
π π
π3 ππβ2
π π
π4
Cannot be true for too many H: random oracle is incompressible
[Dwork, Naor and Wee, Cryptoβ05], [Alwen and Serbinenko, STOC β15]
π·
Single-shot memory-time trade-off for arbitrary adv
Generalize
Memory π«π π«π π«π π«π π«π π«π
π·
π 2π > 1 2 when learning the π-th challenge |memory| β₯
ππ₯ 2ππ
π
π=time to answer the π-th
challenge
CMC = ???
π
3
π
5
π
1
π
4
π
2
memory-time trade-off β memory lower bound for the step right before the challenge is revealed
Time
General strategy
π no lower bound at this step
Memory π«π π«π π«π π«π π«π π«π
π·
π 2π > 1 2
Similar trade-off holds for every step before challenge is revealed
mem at every step β₯ funcs of π and time to answer the next challenge π
π=time to answer the π-th
challenge π
2
General strategy
Time
Green inversely proportional to
Memory π«π π«π π«π π«π π«π π«π
π·
π 2π > 1 2
By adding lower bounds over rounds from 0 to π β 1, we have CMC = Ξ©(π2π₯)
During round π β 1: Sum of memory β₯
ππ₯ 2 ln 1 + ππβ1 ππ
π
π=time to answer the π-th
challenge = Ξ©(π2π₯)
General strategy
π = 2
π
1
π
2
Time