Balloon Hashing: a Memory-Hard Function Providing Provable Protection Against Sequential Attacks
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Computationally Data-Independent Memory Hard Functions
Computationally Data-Independent Memory Hard Functions Mohammad Hassan Ameri∗ Jeremiah Blocki† Samson Zhou‡ November 18, 2019 Abstract Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at 2 most N log log N . By contrast, the dMHF scrypt achieves maximal CMC Ω(N 2) — though O log N the CMC of scrypt would be reduced to just (N) after a side-channel attack. In this paper, we introduce the notion ofO computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (ran- domized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker — even if the attacker selects the initial in- put. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC Ω(N 2). -
Asymmetric Proof-Of-Work Based on the Generalized Birthday Problem
Equihash: Asymmetric Proof-of-Work Based on the Generalized Birthday Problem Alex Biryukov Dmitry Khovratovich University of Luxembourg University of Luxembourg [email protected] [email protected] Abstract—The proof-of-work is a central concept in modern Long before the rise of Bitcoin it was realized [20] that cryptocurrencies and denial-of-service protection tools, but the the dedicated hardware can produce a proof-of-work much requirement for fast verification so far made it an easy prey for faster and cheaper than a regular desktop or laptop. Thus the GPU-, ASIC-, and botnet-equipped users. The attempts to rely on users equipped with such hardware have an advantage over memory-intensive computations in order to remedy the disparity others, which eventually led the Bitcoin mining to concentrate between architectures have resulted in slow or broken schemes. in a few hardware farms of enormous size and high electricity In this paper we solve this open problem and show how to consumption. An advantage of the same order of magnitude construct an asymmetric proof-of-work (PoW) based on a compu- is given to “owners” of large botnets, which nowadays often tationally hard problem, which requires a lot of memory to gen- accommodate hundreds of thousands of machines. For prac- erate a proof (called ”memory-hardness” feature) but is instant tical DoS protection, this means that the early TLS puzzle to verify. Our primary proposal Equihash is a PoW based on the schemes [8], [17] are no longer effective against the most generalized birthday problem and enhanced Wagner’s algorithm powerful adversaries. -
Características Y Aplicaciones De Las Funciones Resumen Criptográficas En La Gestión De Contraseñas
Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas Alicia Lorena Andrade Bazurto Instituto Universitario de Investigación en Informática Escuela Politécnica Superior Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas ALICIA LORENA ANDRADE BAZURTO Tesis presentada para aspirar al grado de DOCTORA POR LA UNIVERSIDAD DE ALICANTE DOCTORADO EN INFORMÁTICA Dirigida por: Dr. Rafael I. Álvarez Sánchez Alicante, julio 2019 Índice Índice de tablas .................................................................................................................. vii Índice de figuras ................................................................................................................. ix Agradecimiento .................................................................................................................. xi Resumen .......................................................................................................................... xiii Resum ............................................................................................................................... xv Abstract ........................................................................................................................... xvii 1 Introducción .................................................................................................................. 1 1.1 Objetivos ...............................................................................................................4 -
Argon2: the Memory-Hard Function for Password Hashing and Other Applications
Argon2: the memory-hard function for password hashing and other applications Designers: Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich University of Luxembourg, Luxembourg [email protected], [email protected], [email protected] https://www.cryptolux.org/index.php/Argon2 https://github.com/P-H-C/phc-winner-argon2 https://github.com/khovratovich/Argon2 Version 1.3 of Argon2: PHC release February 29, 2016 Contents 1 Introduction 2 2 Definitions 3 2.1 Motivation . 3 2.2 Model for memory-hard functions . 4 3 Specification of Argon2 4 3.1 Inputs . 4 3.2 Operation . 5 3.3 Indexing . 6 3.4 Compression function G ......................................... 7 4 Features 8 4.1 Available features . 8 4.2 Possible future extensions . 9 5 Security analysis 9 5.1 Ranking tradeoff attack . 9 5.2 Memory optimization attack . 9 5.3 Attack on iterative compression function . 10 5.4 Security of Argon2 to generic attacks . 10 5.5 Security of Argon2 to ranking tradeoff attacks . 11 5.6 Security of Argon2i to generic tradeoff attacks on random graphs . 12 5.7 Summary of tradeoff attacks . 12 6 Design rationale 12 6.1 Indexing function . 12 6.2 Implementing parallelism . 13 6.3 Compression function design . 15 6.3.1 Overview . 15 6.3.2 Design criteria . 15 6.4 User-controlled parameters . 15 7 Performance 16 7.1 x86 architecture . 16 8 Applications 16 1 9 Recommended parameters 17 10 Conclusion 17 A Permutation 18 P B Additional functionality 19 C Change log 19 C.1 v.1.3 . 19 C.2 v1.2.1 { February 1st, 2016 . -
Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated. -
Bitcoin: Technical Background and Data Analysis
Finance and Economics Discussion Series Divisions of Research & Statistics and Monetary Affairs Federal Reserve Board, Washington, D.C. Bitcoin: Technical Background and Data Analysis Anton Badev and Matthew Chen 2014-104 NOTE: Staff working papers in the Finance and Economics Discussion Series (FEDS) are preliminary materials circulated to stimulate discussion and critical comment. The analysis and conclusions set forth are those of the authors and do not indicate concurrence by other members of the research staff or the Board of Governors. References in publications to the Finance and Economics Discussion Series (other than acknowledgement) should be cleared with the author(s) to protect the tentative character of these papers. Bitcoin: Technical Background and Data Analysis Anton Badev Matthew Chen∗ October 7, 2014 Executive summary Broadly speaking, Bitcoin is a scheme designed to facilitate the transfer of value be- tween parties. Unlike traditional payment systems, which transfer funds denominated in sovereign currencies, Bitcoin has its own metric for value called bitcoin (with lowercase letter \b", and abbreviated as BTC1). Bitcoin is a complex scheme, and its implementa- tion involves a combination of cryptography, distributed algorithms, and incentive driven behaviour. Moreover, recent developments suggest that Bitcoin operations may involve risks whose nature and proportion are little, if at all, understood. In light of these con- siderations, the purpose of this paper is to provide the necessary technical background to understand basic Bitcoin operations and document a set of empirical regularities related to Bitcoin usage. We present the micro-structure of the Bitcoin transaction process and highlight the use of cryptography for the purposes of transaction security and distributed maintenance of a ledger. -
Just in Time Hashing
Just in Time Hashing Benjamin Harsha Jeremiah Blocki Purdue University Purdue University West Lafayette, Indiana West Lafayette, Indiana Email: [email protected] Email: [email protected] Abstract—In the past few years billions of user passwords prove and as many users continue to select low-entropy have been exposed to the threat of offline cracking attempts. passwords, finding it too difficult to memorize multiple Such brute-force cracking attempts are increasingly dangerous strong passwords for each of their accounts. Key stretching as password cracking hardware continues to improve and as serves as a last line of defense for users after a password users continue to select low entropy passwords. Key-stretching breach. The basic idea is to increase guessing costs for the techniques such as hash iteration and memory hard functions attacker by performing hash iteration (e.g., BCRYPT[75] can help to mitigate the risk, but increased key-stretching effort or PBKDF2 [59]) or by intentionally using a password necessarily increases authentication delay so this defense is hash function that is memory hard (e.g., SCRYPT [74, 74], fundamentally constrained by usability concerns. We intro- Argon2 [12]). duce Just in Time Hashing (JIT), a client side key-stretching Unfortunately, there is an inherent security/usability algorithm to protect user passwords against offline brute-force trade-off when adopting traditional key-stretching algo- cracking attempts without increasing delay for the user. The rithms such as PBKDF2, SCRYPT or Argon2. If the key- basic idea is to exploit idle time while the user is typing in stretching algorithm cannot be computed quickly then we their password to perform extra key-stretching. -
Optimising the SHA256 Hashing Algorithm for Faster & More Efficient Bitcoin Mining
Optimising the SHA256 Hashing Algorithm for Faster and More Efficient Bitcoin Mining1 by Rahul P. Naik Supervisor: Dr. Nicolas T. Courtois MSc Information Security DEPARTMENT OF COMPUTER SCIENCE September 2, 2013 1 This report is submitted as part requirement for the MSc Degree in Information Security at University College London. It is substantially the result of my own work except where explicitly indicated in the text. The report may be freely copied and distributed provided the source is explicitly acknowledged. Copyright © Rahul Naik 2013. Abstract Since its inception in early 2009, Bitcoin has attracted a substantial amount of users and the popularity of this decentralised virtual currency is rapidly increasing day by day. Over the years, an arms race for mining hardware has resulted with miners requiring more and more hashing power in order to remain alive in the Bitcoin mining arena. The hashing rate and the energy consumption of the mining devices used are of utmost importance for the profit margin in Bitcoin mining. As Bitcoin mining is fundamentally all about computing the double SHA256 hash of a certain stream of inputs many times, a lot of research has been aimed towards hardware optimisations of the SHA256 Hash Standard implementations. However, no effort has been made in order to optimise the SHA256 algorithm specific to Bitcoin mining. This thesis covers the broad field of Bitcoin, Bitcoin mining and the SHA256 hashing algorithm. Rather than hardware based optimisations, the main focus of this thesis is targeted towards optimising the SHA256 hashing algorithm specific to the Bitcoin mining protocol so that mining can be performed faster and in a more efficient manner. -
Crush Crypto Educational Series
The History of Digital Currency Educational Series November 26, 2018 Digital Currency Before Bitcoin • The creation of Bitcoin in 2009 marked the birth of the first digital currency to achieve widespread adoption across the globe. However, the concept of a secure digital currency has been around since the 1980s. • Previous attempts that inspired Satoshi Nakamoto’s creation of Bitcoin include: • DigiCash • Bit Gold • Hashcash • B-money For additional resources, please visit www.CrushCrypto.com. 2 Copyright © Crush Crypto. All Rights Reserved. DigiCash • Computer scientist David Chaum released the paper Blind Signatures for Untraceable Payments (1982) in which he outlined an alternative to the electronic transactions hitting retail stores at the time. His paper is considered one of the first proposals of digital currency in history. • He continued working on his proposal and eventually launched a company called DigiCash in 1990 to commercialize the ideas in his research. In 1994 the company put forth their first electronic cash transaction over the internet. For additional resources, please visit www.CrushCrypto.com. 3 Copyright © Crush Crypto. All Rights Reserved. DigiCash (continued) • DigiCash transactions were unique for the time considering their use of protocols like blind signatures and public key cryptography to enable anonymity. As a result, third parties were prevented from accessing personal information through the online transactions. • Despite the novel technology, DigiCash was not profitable as a company and filed a chapter 11 bankruptcy in 1998 before being sold for assets in 2002. • Chaum thought that DigiCash entered the market before e-commerce was fully integrated with the internet and that lead to a chicken-and-egg problem. -
Blockchain History: from Cypherpunks to Jp Morgan Chase
1 BLOCKCHAIN HISTORY: FROM CYPHERPUNKS TO JP MORGAN CHASE Rustie Lin Gloria Wang 2 LECTURE OVERVIEW 1 PRE BITCOIN EARLY BITCOIN: 2 SCANDALS, HACKS, ILLEGAL ACTIVITY SCALABILITY DEBATES 3 AND ETHEREUM 4 ENTERPRISE BLOCKCHAIN 5 STATE OF THE INDUSTRY 3 PRE BITCOIN: LIBERTARIAN 1 DREAMS 4 LIBERTARIAN DREAMS CYPHERPUNKS AND CRYPTO-ANARCHISTS “Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world” (A Cypherpunk’s Manifesto). https://www.activism.net/cypherpunk/manifesto.html AUTHOR: BRIAN HO 5 LIBERTARIAN DREAMS CYPHERPUNKS AND CRYPTO-ANARCHISTS ● Cypherpunks and Crypto-anarchists: libertarian groups concerned with privacy, and advocated cryptography as an important tool ● “Privacy is the power to selectively reveal oneself to the world.” ● “Privacy in an open society requires anonymous transaction systems” AUTHOR: GLORIA ZHAO 6 EARLY ATTEMPTS DIGICASH ● DigiCash: “Blind signatures” public key cryptography ○ Allowed users to sign off on transactions without revealing anything about their identity ○ Failed due to centralization AUTHOR: BRIAN HO 7 EARLY ATTEMPTS HASHCASH ● HashCash: proof of work by expending resources ○ Solve puzzle using a cryptographic hash function ○ Originally designed as a mechanism to limit email spam AUTHOR: BRIAN HO 8 EARLY ATTEMPTS B-MONEY ● B-MONEY: Introduced important ideas and protocols -
Bitcoin and Blockchain Technology Economics and Environmental Sustainability of the Digital Scarcity Experiment
Bitcoin and Blockchain Technology Economics and Environmental Sustainability of the Digital Scarcity Experiment Comments, corrections, and questions: https://drive.google.com/open?id=1FpudunEQrBY8WLTSLzwThOoFxMKGTCho © 2019 Digital Gold Institute Bitcoin Is Hard to Understand At the crossroads of: ▪ Cryptography ▪ Computer networking and distributed systems ▪ Game theory ▪ Monetary theory With relevant cultural and political implications Mainly not a technology, a cultural paradigm shift instead © 2019 Digital Gold Institute 2/64 Table of Contents 1. Internet Money 2. About Money 3. Private Money and the Centralization Dilemma 4. The Double Spending Problem 5. Bitcoin as Digital Gold 6. Bitcoin as Investment Asset © 2019 Digital Gold Institute 3/64 The Information Economy BANK ▪ Data is transferred with zero marginal cost ▪ Why pay a fee to move bytes representing wealth? ▪ Why only 9-5, Monday-Friday, two days settlement? ▪ Who (and when) will gift humanity with a global instantaneous free p2p payment network? © 2019 Digital Gold Institute 4/64 Reliable Internet eCash Will Be Developed “The one thing that's missing, but that'll soon be developed, is a reliable eCash, a method whereby on the internet you can transfer funds from A to B, without A knowing B or B knowing A, the way I can take a 20 Dollar bill and hand it over to you” Milton Friedman, 1999 https://www.youtube.com/watch?v=ZoaXLzFhWIw © 2019 Digital Gold Institute 5/64 ▪ Decentralized digital currency ▪ Not backed by any government or organization ▪ No need for trusted third -
Moderately Hard Functions: Definition, Instantiations, and Applications?
Moderately Hard Functions: Definition, Instantiations, and Applications? Jo¨elAlwen1 and Bj¨ornTackmann2 1 IST, Vienna, Austria, [email protected] 2 IBM Research { Zurich, Switzerland, [email protected] Abstract. Several cryptographic schemes and applications are based on functions that are both reasonably efficient to compute and moderately hard to invert, including client puzzles for Denial-of-Service protection, password protection via salted hashes, or recent proof-of-work blockchain systems. Despite their wide use, a definition of this concept has not yet been distilled and formalized explicitly. Instead, either the applications are proven directly based on the assumptions underlying the function, or some property of the function is proven, but the security of the ap- plication is argued only informally. The goal of this work is to provide a (universal) definition that decouples the efforts of designing new moder- ately hard functions and of building protocols based on them, serving as an interface between the two. On a technical level, beyond the mentioned definitions, we instantiate the model for four different notions of hardness. We extend the work of Alwen and Serbinenko (STOC 2015) by providing a general tool for proving security for the first notion of memory-hard functions that allows for provably secure applications. The tool allows us to recover all of the graph-theoretic techniques developed for proving security under the older, non-composable, notion of security used by Alwen and Serbinenko. As an application of our definition of moderately hard functions, we prove the security of two different schemes for proofs of effort (PoE). We also formalize and instantiate the concept of a non-interactive proof of effort (niPoE), in which the proof is not bound to a particular communication context but rather any bit-string chosen by the prover.