Attacking Data Independent Memory Hard Functions Printing: Jeremiah Blocki (Microsoft Research) Joel Alwen (IST Austria) This poster is 48” wide by 36” high. It’s designed to be printed on a large ABSTRACT Attack Quality and Ideal iMHFs PRACTICAL RESULTS printer. We demonstrate an algorithm for evaluating data-independent memory-hard functions (Amortized) Quality of Attack A Amortized by #instances (iMHFs) with significantly less cumulative resources (e.g., memory/energy) than ideally 퐶퐶(푁푎푖푣푒) of iMHF computed. desired of such algorithms. In particular we get that: Quality 퐴 = • Catena-Dragonfly and Catena-Butterfly can be computed by an algorithm with 퐶퐶 퐴 × #푖푛푠푡(퐴) Customizing the Content: cumulative cost O 풏ퟓ/ퟑ --- an improvement of O 풏ퟏ/ퟑ . c-Ideal iMHF • • Argon2i (winner of the Password Hashing Competition) can be computed by an For all attacks A, Quality(A) ≤ 푐 Thm (Bad News): No The placeholders in this ퟕ/ퟒ ퟏ/ퟒ • DAG has constant indegree algorithm with cumulative cost 푶 풏 --- an improvement of 푶 풏 . c-Ideal iMHF exists for 풏ퟐ 1−휀 formatted for you. • Any iMHF can be computed by algorithm with cumulative cost O for any Significance? 풍풐품ퟏ−휺 풏 푐 = 푂 푙표푔 푛 . constant 휺 > ퟎ--- an improvement of O 풍풐품ퟏ−휺 풏 . • Cost of computing H varies greatly across architectures. placeholders to add text, or click an icon • Contrast: memory costs are consistent across architectures. In particular, this shows that the goal of constructing an iMHF requiring 휴 풏ퟐ cumulative resources is infeasible. to add a table, chart, SmartArt graphic, Depth-Robust DAGs are Necessary Attacking Argon2i picture or multimedia file. iMHF (Password Hash Function) Definition: We say that a DAG G=(V,E) is (e,d)-node robust if Argon2i DAG: G=(V,E), indegree=2 T A data-independent memory hard function (iMHF) is defined by ∀푆 ⊆ 푉: 푆 ≤ 푒 ⇒ depth 퐺 − 푆 ≥ 푑. Edges: (vi,vi+1), (vr(i),vi) for i ≤ 푛 r(i)~Uniform([i-1]) text, just click the Bullets button on the • an underlying compression function H, and Length of longest • a directed-acyclic graph (DAG) representing data-dependencies 4 remaining path after Lemma: Let 푆1 = 푣푖 푖 = 푗 × 푛 , and Home tab. removing nodes in S. 푆 = 푣 푣푟(푖)and v in same layer . Then Input: 2 4 2 푖 Th푖 1 Output: L4 3/4 If you need more placeholders for titles, pwd, salt 3 Theorem (Depth-Robustness is a necessary condition): If G is not depth(G-S1-S2) ≤ 푛, and E 푆2 = 푂 푛 log 푛 퐿 = 퐻(퐿 , 퐿 ) (e,d)-node robust then is an (efficient) attack A such that content 퐿1 = 퐻(푝푤푑, 푠푎푙푡) 3 2 1 … 4 Advantage: Data-dependent MHFs (e.g., SCRYPT) are vulnerable to side-channel attacks due to their … Layer 푛 푔푛 data-dependent memory access pattern. Quality 퐴 = 휴 Thmax . of what you need and drag it into place. 푑≤푔≤푛 푑푛+푔2+푔푒 푛3/4+1 +2 +3 +4 푛 … 2푛3/4 Computing an iMHF (Pebbling) Layer 1 PowerPoint’s Smart Guides will help you 3/4 Theorem (No DAG is sufficiently depth robust): If a DAG G=(V,E) has 1 2 3 … 4 푛 … 푛 Layer 0 align it with everything else. Pebbling Rules: constant indegree then we can (efficiently) find 푆 ⊆ 푉, s.t Want to use your own pictures instead • 1−휀 푛 May place a pebble on node v1 during any round. 푆 ≤ 푂 푛/ 푙표푔 푛 andTh depth 퐺 − 푆 ≤ log2 푛 CONCLUSION • May remove a pebble from DAG in any round. of ours? No problem! Just Note: yields attack with Quality 퐴 = 훺 푙표푔1−휀 푛 . • May place a pebble on an unpebbled node vi during Practical attacks against every picture round j only if all parents had pebbles on round j-1. MAIN ATTACK (GEN-PEBBLE) (known) iMHFs: Maintain the proportion of pictures as Pebbling Costs: • Argon2i you resize by dragging a corner. • (Each Round) pay energy cost (1 mwt) for each pebble --- In ≤ d rounds we can recover all of the • Catena cost to store value in memory. pebbles. • Pay energy cost 푅 to place a new pebble on the DAG • Balloon Hashing (New) (e.g., 푅 ≈ 3,000 mwt is cost to compute H) One Balloon Phase: Cost = O(dn) REFERENCES Cumulative Cost of Pebbling Algorithm A: All Balloon Phases: 2 • Password Hashing Competition (https://password-hashing.net/) #푟표푢푛푑푠 Total Cost= O(dn /g). • Alex Biryukov ,Daniel Dinu and Dmitry Khovratovich. Argon2: new generation of memory-hard cc A = 푅 × #queries(H) + (#푝푒푏푏푙푒푠(푗)) Each round of a balloon functions for password hashing and other applications. EURO S&P 2016. phase is potentially • Christian Forler, Stefan Lucks and Jakob Wenzel. Catena: A memory-consuming password 푗=1 Light Phase: Discard most pebbles! very expensive. scrambler. ASIACRYPT 2014. • Only keep pebbles on parents of next g nodes. • Alex Biryukov and Dmitry Khovratovich. Fast and Tradeoff-resilient memory-hard functions for Key: balloon phase Naïve Pebbling Algorithm N: • One Light Phase: Cost = O(g|S|) cryptocurrencies and password hashing. ASIACRYPT 2015. ends quickly! • Cythia Dwork, Moni Naor and Hoeteck Wee. Pebbling and proofs of work. CRYPTO 2005. • Pebble graph in topological order (n rounds). • All Light Phases: Total Cost = O(g|S|(n/g))= O(n|S|) • Joel Alwen and Vladimir Servinenko. High Parallel Complexity Graphs an Memory-Hard • Cumulative Cost: Functions. STOC 2015. 2 • Joel Alwen and Jeremiah Blocki. Efficiently Computing Data-Independent Memory-Hard cc(N)=O 푛 Functions. http://eprint.iacr.org/2016/115