Argon2 Function and Hardware Platform Optimizationfor Openssl
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Computationally Data-Independent Memory Hard Functions
Computationally Data-Independent Memory Hard Functions Mohammad Hassan Ameri∗ Jeremiah Blocki† Samson Zhou‡ November 18, 2019 Abstract Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at 2 most N log log N . By contrast, the dMHF scrypt achieves maximal CMC Ω(N 2) — though O log N the CMC of scrypt would be reduced to just (N) after a side-channel attack. In this paper, we introduce the notion ofO computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (ran- domized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker — even if the attacker selects the initial in- put. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC Ω(N 2). -
Características Y Aplicaciones De Las Funciones Resumen Criptográficas En La Gestión De Contraseñas
Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas Alicia Lorena Andrade Bazurto Instituto Universitario de Investigación en Informática Escuela Politécnica Superior Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas ALICIA LORENA ANDRADE BAZURTO Tesis presentada para aspirar al grado de DOCTORA POR LA UNIVERSIDAD DE ALICANTE DOCTORADO EN INFORMÁTICA Dirigida por: Dr. Rafael I. Álvarez Sánchez Alicante, julio 2019 Índice Índice de tablas .................................................................................................................. vii Índice de figuras ................................................................................................................. ix Agradecimiento .................................................................................................................. xi Resumen .......................................................................................................................... xiii Resum ............................................................................................................................... xv Abstract ........................................................................................................................... xvii 1 Introducción .................................................................................................................. 1 1.1 Objetivos ...............................................................................................................4 -
A Viga T Ing R T Ificia L N Te Ll Igence
July 24, 2018 Semiconductor Get real with artificial intelligence (AI) "Seriously, do you think you could actually purchase one of my kind in Walmart, say in the next 10 years?" NTELLIGENCE I "You do?! You'd better read this report from RTIFICIAL RTIFICIAL cover to cover, and I assure you Peter is not being funny at all this time." A ■ Fantasies remain in Star Trek. Let’s talk about practical AI technologies. ■ There are practical limitations in using today’s technology to realise AI elegantly. ■ AI is to be enabled by a collaborative ecosystem, likely dominated by “gorillas”. ■ An explosion of innovations in AI is happening to enhance user experience. ■ Rewards will go to the problem solvers that have invested in R&D ahead of others. Analyst(s) AVIGATING AVIGATING Peter CHAN T (82) 2 6730 6128 E [email protected] N IMPORTANT DISCLOSURES, INCLUDING ANY REQUIRED RESEARCH CERTIFICATIONS, ARE PROVIDED AT THE Powered by END OF THIS REPORT. IF THIS REPORT IS DISTRIBUTED IN THE UNITED STATES IT IS DISTRIBUTED BY CIMB the EFA SECURITIES (USA), INC. AND IS CONSIDERED THIRD-PARTY AFFILIATED RESEARCH. Platform Navigating Artificial Intelligence Technology - Semiconductor│July 24, 2018 TABLE OF CONTENTS KEY CHARTS .......................................................................................................................... 4 Executive Summary .................................................................................................................. 5 I. From human to machine .......................................................................................................10 -
Argon2: the Memory-Hard Function for Password Hashing and Other Applications
Argon2: the memory-hard function for password hashing and other applications Designers: Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich University of Luxembourg, Luxembourg [email protected], [email protected], [email protected] https://www.cryptolux.org/index.php/Argon2 https://github.com/P-H-C/phc-winner-argon2 https://github.com/khovratovich/Argon2 Version 1.3 of Argon2: PHC release February 29, 2016 Contents 1 Introduction 2 2 Definitions 3 2.1 Motivation . 3 2.2 Model for memory-hard functions . 4 3 Specification of Argon2 4 3.1 Inputs . 4 3.2 Operation . 5 3.3 Indexing . 6 3.4 Compression function G ......................................... 7 4 Features 8 4.1 Available features . 8 4.2 Possible future extensions . 9 5 Security analysis 9 5.1 Ranking tradeoff attack . 9 5.2 Memory optimization attack . 9 5.3 Attack on iterative compression function . 10 5.4 Security of Argon2 to generic attacks . 10 5.5 Security of Argon2 to ranking tradeoff attacks . 11 5.6 Security of Argon2i to generic tradeoff attacks on random graphs . 12 5.7 Summary of tradeoff attacks . 12 6 Design rationale 12 6.1 Indexing function . 12 6.2 Implementing parallelism . 13 6.3 Compression function design . 15 6.3.1 Overview . 15 6.3.2 Design criteria . 15 6.4 User-controlled parameters . 15 7 Performance 16 7.1 x86 architecture . 16 8 Applications 16 1 9 Recommended parameters 17 10 Conclusion 17 A Permutation 18 P B Additional functionality 19 C Change log 19 C.1 v.1.3 . 19 C.2 v1.2.1 { February 1st, 2016 . -
Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated. -
Agent: STRAUSS, Ryan N. Et Al.; 121 1 SW 5Th Avenue, H04W 72/04 (2009.01) H04W4/40 (2018.01) Suite 1500-1900, Portland, Oregon 97204 (US)
( (51) International Patent Classification: (74) Agent: STRAUSS, Ryan N. et al.; 121 1 SW 5th Avenue, H04W 72/04 (2009.01) H04W4/40 (2018.01) Suite 1500-1900, Portland, Oregon 97204 (US). (21) International Application Number: (81) Designated States (unless otherwise indicated, for every PCT/US20 19/035597 kind of national protection av ailable) . AE, AG, AL, AM, AO, AT, AU, AZ, BA, BB, BG, BH, BN, BR, BW, BY, BZ, (22) International Filing Date: CA, CH, CL, CN, CO, CR, CU, CZ, DE, DJ, DK, DM, DO, 05 June 2019 (05.06.2019) DZ, EC, EE, EG, ES, FI, GB, GD, GE, GH, GM, GT, HN, (25) Filing Language: English HR, HU, ID, IL, IN, IR, IS, JO, JP, KE, KG, KH, KN, KP, KR, KW, KZ, LA, LC, LK, LR, LS, LU, LY, MA, MD, ME, (26) Publication Language: English MG, MK, MN, MW, MX, MY, MZ, NA, NG, NI, NO, NZ, (30) Priority Data: OM, PA, PE, PG, PH, PL, PT, QA, RO, RS, RU, RW, SA, 62/682,732 08 June 2018 (08.06.2018) US SC, SD, SE, SG, SK, SL, SM, ST, SV, SY, TH, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ, VC, VN, ZA, ZM, ZW. (71) Applicant: INTEL CORPORATION [US/US]; 2200 Mission College Boulevard, Santa Clara, California 95054 (84) Designated States (unless otherwise indicated, for every (US). kind of regional protection available) . ARIPO (BW, GH, GM, KE, LR, LS, MW, MZ, NA, RW, SD, SL, ST, SZ, TZ, (72) Inventors: MUECK, Markus Dominik; Jaegerstrasse 4b, UG, ZM, ZW), Eurasian (AM, AZ, BY, KG, KZ, RU, TJ, 82008 Unterhaching (DE). -
610456 Confidentiality
D7.9 Review of Industry trends – Competitive analysis Project No: 610456 D7.9 Review of Industry trends – Competitive analysis February 28th, 2017 Abstract: This deliverable provides an update on the competitive analysis performed by the EUROSERVER consortium. As of the time of writing, it is clear that it has not been easy to commercialise ARM-based micro-servers, and many large companies have been unable to bring a viable solution to market. The remaining providers that already have or intend to launch server-ready products are Qualcomm and Cavium. The decision by Fujitsu and RIKEN to base the Post-K supercomputer on the ARM architecture is a positive development. Document Manager: John Thomson (Editor) Authors AFFILIATION John Thomson OnApp Ltd. (ONAPP) Paul Carpenter Barcelona Supercomputing Center (BSC) Manolis Katevenis, Iakovos Mavroidis FORTH Denis Dutoit CEA Internal Reviewers Per Stenstrom CHALMERS Isabelle Dor CEA Document Id N°: Version: 0.7 Date: 28/2/2017 Filename: Euroserver_D7.9_v0.7.docx Confidentiality This document is public and was produced by EUROSERVER contractors. Some of the graphics and information belongs to third-parties and this information is highlighted where appropriate. The commercial use of any information contained in this document may require a license from the proprietor of that information. Page 1 of 23 This document is Public, and was produced under the EUROSERVER project (EC contract 610456). D7.9 Review of Industry trends – Competitive analysis The EUROSERVER Consortium consists of the following -
Just in Time Hashing
Just in Time Hashing Benjamin Harsha Jeremiah Blocki Purdue University Purdue University West Lafayette, Indiana West Lafayette, Indiana Email: [email protected] Email: [email protected] Abstract—In the past few years billions of user passwords prove and as many users continue to select low-entropy have been exposed to the threat of offline cracking attempts. passwords, finding it too difficult to memorize multiple Such brute-force cracking attempts are increasingly dangerous strong passwords for each of their accounts. Key stretching as password cracking hardware continues to improve and as serves as a last line of defense for users after a password users continue to select low entropy passwords. Key-stretching breach. The basic idea is to increase guessing costs for the techniques such as hash iteration and memory hard functions attacker by performing hash iteration (e.g., BCRYPT[75] can help to mitigate the risk, but increased key-stretching effort or PBKDF2 [59]) or by intentionally using a password necessarily increases authentication delay so this defense is hash function that is memory hard (e.g., SCRYPT [74, 74], fundamentally constrained by usability concerns. We intro- Argon2 [12]). duce Just in Time Hashing (JIT), a client side key-stretching Unfortunately, there is an inherent security/usability algorithm to protect user passwords against offline brute-force trade-off when adopting traditional key-stretching algo- cracking attempts without increasing delay for the user. The rithms such as PBKDF2, SCRYPT or Argon2. If the key- basic idea is to exploit idle time while the user is typing in stretching algorithm cannot be computed quickly then we their password to perform extra key-stretching. -
United States District Court Eastern District of Texas Marshall Division
Case 2:19-cv-00056 Document 1 Filed 02/14/19 Page 1 of 19 PageID #: 1 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF TEXAS MARSHALL DIVISION KIPB LLC, Plaintiff, v. Case No. 2:19-cv-00056 SAMSUNG ELECTRONICS CO., LTD.; SAMSUNG ELECTRONICS AMERICA, INC.; JURY TRIAL DEMANDED SAMSUNG SEMICONDUCTOR, INC.; SAMSUNG AUSTIN SEMICONDUCTOR, LLC; AND QUALCOMM GLOBAL TRADING PTE. LTD., Defendants. COMPLAINT FOR PATENT INFRINGEMENT Plaintiff KIPB LLC, formerly known as KAIST IP US LLC (“KAIST IP US”), hereby alleges infringement of United States Patent No. 6,885,055 (the “ʼ055 Patent”) against Defendants Samsung Electronics Co., Ltd. (“SEC”), Samsung Electronics America, Inc. (“SEA”), Samsung Semiconductor, Inc. (“SSI”), and Samsung Austin Semiconductor LLC (“SAS”) (collectively, “Samsung”), and Qualcomm Global Trading Pte. Ltd. (“Qualcomm”), as follows: THE PARTIES 1. Plaintiff KAIST IP US is a corporation organized and existing under the laws of the State of Texas, having a principal place of business at 2591 Dallas Parkway, Frisco, Texas 75034. 2. Defendant SEC is a corporation organized and existing under the laws of the Republic of Korea, and located at 129 Samsung-ro, Yeongtong-gu, Suwon-si, Gyeonggi-do, 1 30379890 Case 2:19-cv-00056 Document 1 Filed 02/14/19 Page 2 of 19 PageID #: 2 Republic of Korea. 3. Defendant SEA is a corporation organized and existing under the laws of the state of New York, with corporate offices in the Eastern District of Texas at 1301 E. Lookout Drive, Richardson, Texas 75082, and 2800 Technology Drive, Suite 200, Plano, Texas 75074. Defendant SEA may be served with process through its registered agent CT Corporation System, 1999 Bryan St., Ste. -
Moderately Hard Functions: Definition, Instantiations, and Applications?
Moderately Hard Functions: Definition, Instantiations, and Applications? Jo¨elAlwen1 and Bj¨ornTackmann2 1 IST, Vienna, Austria, [email protected] 2 IBM Research { Zurich, Switzerland, [email protected] Abstract. Several cryptographic schemes and applications are based on functions that are both reasonably efficient to compute and moderately hard to invert, including client puzzles for Denial-of-Service protection, password protection via salted hashes, or recent proof-of-work blockchain systems. Despite their wide use, a definition of this concept has not yet been distilled and formalized explicitly. Instead, either the applications are proven directly based on the assumptions underlying the function, or some property of the function is proven, but the security of the ap- plication is argued only informally. The goal of this work is to provide a (universal) definition that decouples the efforts of designing new moder- ately hard functions and of building protocols based on them, serving as an interface between the two. On a technical level, beyond the mentioned definitions, we instantiate the model for four different notions of hardness. We extend the work of Alwen and Serbinenko (STOC 2015) by providing a general tool for proving security for the first notion of memory-hard functions that allows for provably secure applications. The tool allows us to recover all of the graph-theoretic techniques developed for proving security under the older, non-composable, notion of security used by Alwen and Serbinenko. As an application of our definition of moderately hard functions, we prove the security of two different schemes for proofs of effort (PoE). We also formalize and instantiate the concept of a non-interactive proof of effort (niPoE), in which the proof is not bound to a particular communication context but rather any bit-string chosen by the prover. -
On the Economics of Offline Password Cracking
On the Economics of Offline Password Cracking Jeremiah Blocki Ben Harsha Samson Zhou Purdue University Purdue University Carnegie Mellon University Abstract—We develop an economic model of an offline pass- passwords to offline attacks. Password hashing algorithms word cracker which allows us to make quantitative predictions are a critical last line of defense against an offline attacker about the fraction of accounts that a rational password attacker who has stolen password hash values from an authentication would crack in the event of an authentication server breach. We server. An attacker who has stolen a user’s password hash apply our economic model to analyze recent massive password value can attempt to crack each user’s password offline by breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. comparing the hashes of likely password guesses with the All four organizations were using key-stretching to protect user stolen hash value. Because the attacker can check each guess passwords. In fact, LastPass’ use of PBKDF2-SHA256 with 105 offline it is no longer possible to lockout the adversary after hash iterations exceeds 2017 NIST minimum recommendation several incorrect guesses. by an order of magnitude. Nevertheless, our analysis paints An offline attacker is limited only by the cost of com- a bleak picture: the adopted key-stretching levels provide puting the hash function. Ideally, the password hashing al- insufficient protection for user passwords. In particular, we gorithm should be moderately expensive to compute so that present strong evidence that most user passwords follow a it is prohibitively expensive for an offline attacker to crack Zipf’s law distribution, and characterize the behavior of a most user passwords e.g., by checking millions, billions or rational attacker when user passwords are selected from a even trillions of password guesses for each user. -
Balloon Hashing: a Memory-Hard Function Providing Provable Protection Against Sequential Attacks?
Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks? Dan Boneh1, Henry Corrigan-Gibbs1, and Stuart Schechter2 1 Stanford University, Stanford CA 94305, U.S.A. 2 Microsoft Research, Redmond WA 98052, U.S.A. Abstract. We present the Balloon password-hashing algorithm. This is the first practical cryptographic hash function that: (i) has proven memory-hardness properties in the random-oracle model, (ii) uses a pass- word-independent access pattern, and (iii) meets—and often exceeds— the performance of the best heuristically secure password-hashing algo- rithms. Memory-hard functions require a large amount of working space to evaluate efficiently and, when used for password hashing, they dra- matically increase the cost of offline dictionary attacks. In this work, we leverage a previously unstudied property of a certain class of graphs (“random sandwich graphs”) to analyze the memory-hardness of the Bal- loon algorithm. The techniques we develop are general: we also use them to give a proof of security of the scrypt and Argon2i password-hashing functions, in the random-oracle model. Our security analysis uses a se- quential model of computation, which essentially captures attacks that run on single-core machines. Recent work shows how to use massively parallel special-purpose machines (e.g., with hundreds of cores) to at- tack memory-hard functions, including Balloon. We discuss this impor- tant class of attacks, which is outside of our adversary model, and pro- pose practical defenses against them. To motivate the need for security proofs in the area of password hashing, we demonstrate and implement a practical attack against Argon2i that successfully evaluates the func- tion with less space than was previously claimed possible.