On the Memory-Hardness of Data-Independent Password-Hashing Functions

We show attacks on five data-independent memory-hard functions (iMHF) that were submitted to the password hashing competition (PHC). Informally, an MHF is a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly lower hardware and/or energy cost than evaluating a single instance on a standard single-core architecture. Data-independent means the memory access pattern of the function is independent of the input; this makes iMHFs harder to construct than data-dependent ones, but the latter can be attacked by various side-channel attacks. Following [Alwen-Blocki'16], we capture the evaluation of an iMHF as a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of this DAG is a measure for the hardware cost of evaluating the iMHF on an ASIC. Ideally, one would like the complexity of a DAG underlying an iMHF to be as close to quadratic in the number of nodes of the graph as possible. Instead, we show that (the DAGs underlying) the following iMHFs are far from this bound: Rig.v2, TwoCats and Gambit each having an exponent no more than 1.75. Moreover, we show that the complexity of the iMHF modes of the PHC finalists Pomelo and Lyra2 have exponents at most 1.83 and 1.67 respectively. To show this we investigate a combinatorial property of each underlying DAG (called its depth-robustness. By establishing upper bounds on this property we are then able to apply the general technique of [Alwen-Block'16] for analyzing the hardware costs of an iMHF.

[1]  Alex Biryukov,et al.  Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[2]  Sunoo Park,et al.  Static-Memory-Hard Functions and Nonlinear Space-Time Tradeoffs via Pebbling , 2018, IACR Cryptol. ePrint Arch..

[3]  Jeremiah Blocki,et al.  Sustained Space Complexity , 2017, IACR Cryptol. ePrint Arch..

[4]  Joël Alwen,et al.  High Parallel Complexity Graphs and Memory-Hard Functions , 2015, IACR Cryptol. ePrint Arch..

[5]  Srinivas Devadas,et al.  Bandwidth Hard Functions for ASIC Resistance , 2017, TCC.

[6]  Guido Bertoni,et al.  The Making of KECCAK , 2014, Cryptologia.

[7]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[8]  Samson Zhou,et al.  On the Depth-Robustness and Cumulative Pebbling Cost of Argon2i , 2017, TCC.

[9]  Jeremiah Blocki,et al.  Efficiently Computing Data-Independent Memory-Hard Functions , 2016, CRYPTO.

[10]  C. Thomborson,et al.  Area-time complexity for VLSI , 1979, STOC.

[11]  Stefan Lucks,et al.  The Catena Password-Scrambling Framework , 2015 .

[12]  Alex Biryukov,et al.  Tradeoff Cryptanalysis of Memory-Hard Functions , 2015, ASIACRYPT.

[13]  Paulo S. L. M. Barreto,et al.  Lyra2: password hashing scheme with improved security against time-memory trade-offs. , 2017 .

[14]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[15]  Donghoon Chang,et al.  Rig: A simple, secure and flexible design for Password Hashing , 2015, IACR Cryptol. ePrint Arch..

[16]  Jeremiah Blocki,et al.  Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions , 2017, IACR Cryptol. ePrint Arch..

[17]  Jeremiah Blocki,et al.  Depth-Robust Graphs and Their Cumulative Memory Complexity , 2017, EUROCRYPT.

[18]  Samson Zhou,et al.  Bandwidth-Hard Functions: Reductions and Lower Bounds , 2018, IACR Cryptol. ePrint Arch..

[19]  Jeremiah Blocki,et al.  Towards Practical Attacks on Argon2i and Balloon Hashing , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[20]  Dan Boneh,et al.  Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks , 2016, ASIACRYPT.