On the Complexity of Scrypt and Proof of Space in Parallel Random Oracle Model

on the complexity of scrypt and proofs of space n.w
1 / 59
Embed
Share

Explore the complexities of Scrypt and Proof of Space in the Parallel Random Oracle Model, focusing on password hashing, cost metrics, sequential memory hardness, and designing memory-hard functions like ROMix. The content delves into security considerations, computational costs, and the resilience of various hashing algorithms against brute-force attacks.

  • Scrypt
  • Proof of Space
  • Password Hashing
  • Memory Hardness
  • Random Oracle
rayaanacharya
kfell Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model Binyi Chen UCSB joint work with Joel Alwen, Chethan Kamath, Vladimir Kolmogorov, Krzysztof Pietrzak, and Stefano Tessaro

  2. Motivation: Password Hashing Given input (id, psw) check F(psw, salt) is consistent login, password = (Alice, abcde ) (Alice, x) Alice, F( abcde , salt1), salt1 Bob, F( xyz123 , salt2), salt2 Carol, F( 1234 , salt3), salt3 Alice, abcde Bob, xyz123 Carol, 1234 Alice, abcde Alice, F( abcde , salt1), salt1 Steal Enumerate x Until F(x, salt1) = F( abcde , salt1) Passwords leak!

  3. Moderately hard F C: The least cost to compute F F User Adversary What is cost C? time? memory? energy? C: not too large login quickly C: not too small against brute-force attack

  4. Traditional cost metric: Time Typical solution: iteration X1 H H X X2 Xn-1 H F(X) H Xn-2 ... Input X1 H H X X2 Xn-1 H F(X ) H Xn-2 ... Input Problem: cost 1 Multiple inputs with same cost ASICs Brute-force attack Hardware (ASICs) can speed up hashing power considerably at equal cost

  5. Sequential Memory Hardness[Per09] A function F is sequential memory-hard if F: Cannot be computed with cost much lower than C(n) Can be computed sequentially with cost C(n) e.g. O(n2) even with parallel computation e.g. O(n2- ) for any >0 Cost = Size-Time complexity |???| ????[Per09] Better reflects $ cost

  6. Designing sequential memory-hard functions In this paper: Important! primary target Focus on analyzing the core of Scrypt Password-hashing competition ROMix function similar to the core of Argon2d Proposed designs: Scrypt In the rest of the talk Catena Balloon hashing Argon2i Scrypt = ROMix function Argon2d Few come with provable security

  7. Sequential Memory hard functions: ROMix[Per09] Phase 1: X1 H H X X2 Xn-1 H Xn=S H Xn-2 ... Input SHA-256 id0 = S modn +1 S1 H S Input H(Xid S) 0 Phase 2:

  8. Sequential Memory hard functions: ROMix[Per09] Phase 1: X1 H H X X2 Xn-1 H Xn=S H Xn-2 ... Input SHA-256 idn-1 = Sn-1modn + 1 id1 = S1modn + 1 Xid Xidn-2 Xidn-1 Xid0 1 Sn-1 H Sn=y H S1 S2 H H Sn-2 S ... Input H(Xid S) 0 Phase 2:

  9. Remembering all Xi Xn-2 X2 X4 Xn X5 X1 Xn-3 Xn-1 X3 ........ id0 = S modn +1 S1 H S Input Phase 2:

  10. Remembering all Xi Xn-2 X2 X4 Xn X5 X1 Xn-3 Xn-1 X3 ........ Memory: O(n) idn-1 = Sn-1modn + 1 Time: O(n) Xid Xidn-2 Xidn-1 Xid0 1 Sn-1 H Sn=y H S1 S2 H H Sn-2 S ... Input Phase 2:

  11. Space: O(1) X1=H(X) X2=H(X1) X3=H(X2) Step 1: Step 2: Step 3: id0 = S modn +1 H S Input Phase 2:

  12. Space: O(1) Step id0: Xid=H(Xid -1) 0 0 id0 = S modn +1 Xid0 S1 H S Input Phase 2:

  13. Space: O(1) X1=H(X) X2=H(X1) X3=H(X2) Step 1: Step 2: Step 3: idn-1 = Sn-1modn +1 Xid Xidn-2 Xid0 1 Sn-1 H H S1 S2 H H Sn-2 S ... Input Phase 2:

  14. Space: O(1) Step idn-1:Xid=H(Xid Memory: O(1) Time: O(n2) -1) n-1 n-1 idn-1 = Sn-1modn +1 Xid Xidn-2 Xidn-1 Xid0 1 Sn-1 H Sn=y H S1 S2 H H Sn-2 S ... Input Phase 2:

  15. Sequential memory hard functions: Scrypt[Per09] Theorem[Per 09] Under the RO model, given a single input X, for any adv who uses space S(n) and spent time T(n), for any constant >0, S(n) T(n) = (n2- ) can query bounded # of RO inputs in parallel

  16. Is ST-complexity the perfect metric in Password-Hashing scenario? : compute the hash of multiple passwords with low cost Goal of

  17. ST-Complexity[Per09] If we compute F on k inputs in parallel Do we have: Compute k inputs sequentially Compute k inputs in parallel Cost( ) Cost( ) ???? ????? ? ???? ????? NO

  18. ST-Complexity[Per09] Compute F(input1) Compute F(input2) input1 input2 n n Step 1: Step 1: Memory Memory 1 1 Step 2: Step 2: Step 3: Step 3: 1 1 1 1 Step m: Step m: Cost = ? ?? F(input1) F(input2)

  19. ST-Complexity[Per09] Compute F(input1) and F(input2) together Step 1: n Memory n+1 n 1 Step 2: ???? ?????=(n+1)(m+1) Step 3: 1 1 << ? ???? ?????=2nm Step m: 1 1 Step m+1: 1 F(input1) F(input2)

  20. Cumulative Memory Complexity[AS15] Parallel Random Oracle Model H H H H parallel queries S2 S1 X ST ROMix(X) Input state |S1|+ + |ST| CMC = cumulative sum of memory usage hardware metric Area-Time Complexity: product of runtime & area of circuit

  21. Cumulative Memory Complexity[AS15] Compute F(input1) Compute F(input1) and F(input2) together input1 Step 1: n n Step 1: n 1 Step 2: 1 Step 2: ??? = ? + ? ? ??? = ?(? + ? ?) Step 3: 1 1 Step 3: 1 Step m: 1 1 1 Step m: Step m+1: 1 F(input1) F(input1) F(input2)

  22. CMC is robust against computing multiple inputs in parallel [AS15]

  23. Memory hardness, revisited A function F is memory-hard if F: Can be computed sequentially with CMC = O(n2) Cannot be computed with CMC = O(n2- ) for any >0 even with parallel computation

  24. Our results can query unbounded # of RO inputs in parallel in one step under a conjecture Theorem 1 Under the pROM model, given a single input X, for any adv who computes Scrypt(X), for any constant >0, CMC(adv) = (n2- ) More powerful ? Simple Restrict the class of adversaries: Too restrictive! exists only storing H s output in memory

  25. Entangled Adversary X1 X3 X4 X1 X3 X7 ?? ?? ?? ?? X4 X7

  26. Generalization a set L of H s outputs X1 any|L|-t labels in set L X1 X3 X3 encoding decoding entangled Enc(L) X4 X4 |Enc(L)| ~ t X7 X7

  27. Our results can query unbounded # of RO inputs in parallel in one step Theorem 2 Under the pROM model, given a single input X, for any entangled adv who computes Scrypt(X), for any constant >0, CMC(adv) = (n2- ) Simple This talk: only storing H s output in memory

  28. The idea of [AS15] was to How to analyze the Scrypt function w.r.t. CMC? model the computation of MHF by data-independent Pebbling game[DNW05]

  29. Pebbling game[DNW05] Graph MHF 5 5 ??= ?(?,??,??) 3 3 4 4 ??= ?(?,??) ??= ?(?,??,??) 1 1 2 2 ??= ?(?,???) ??= ?(?,???) password password Memory state with size S Configuration with S pebbles Storing a label is equivalent to pebble a node

  30. Model MHF by Pebbling[AS15] Computation with space S Pebble game with S pebbles L4=H(L1, L2) L1 L4 L2 L6 password L5 L3 y 1) Query RO: put a pebble on a vertex if all of its parents are pebbled 2) Release memory: remove any set of pebbles 3) Goal: pebble the output node

  31. Model MHF by Pebbling[AS15] Computation with space S Pebble game with S pebbles L4=H(L1, L2) L1 L4 L2 L6 password L5 L3 y Parallel Cumulative Pebbling Complexity [AS 15] pCPC = min |??|= 3+2+2+1 = 8 ? ?

  32. How to model the computation of Scrypt with a pebbling game? (data-dependent) Pebble graph is not fixed Randomized Pebbling game

  33. Reduction Parallel Cumulative Pebbling Complexity of Randomized Pebbling game Cumulative Memory Complexity of Scrypt Similar reduction for entangled adversary w.r.t. simple

  34. Randomized Pebbling game X1 Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration P0 id1 [?] Adversary Challenger

  35. Randomized Pebbling game Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration P1 id1 [?] Adversary Challenger

  36. Randomized Pebbling game Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration P2 id1 [?] 5 id2 [?] Adversary Challenger

  37. Randomized Pebbling game Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration P3 id1 [?] id2 [?] Adversary Challenger

  38. Randomized Pebbling game Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration P4 id1 [?] id2 [?] Adversary Challenger

  39. Randomized Pebbling game Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration P5 id1 [?] 3 id2 [?] Adversary Challenger

  40. Randomized Pebbling game Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration Pt-1 id1 [?] id2 [?] idn [?] Adversary Challenger

  41. Randomized Pebbling game Model Phase 2 1 2 3 7 4 8 5 9 6 password Configuration Pt id1 [?] 3 id2 [?] idn [?] Adversary Challenger Parallel Cumulative Pebbling Complexity randomness: adv strategy and challenge pCPCn= min ? |??| ? ?

  42. Key lemma Parallel Cumulative Pebbling Complexity of randomized pebbling game is ?2 min ? ? |??| log?2 ?

  43. Proof Idea

  44. Potential 1 2 3 7 4 8 5 9 6 password Configuration P id1 [?] How long it takes to pebble a random challenge? Only care about time!

  45. Potential 3 steps 1 2 3 7 4 8 5 9 6 password Configuration P id1 [?] How long it takes to pebble a random challenge? ??(?): minimal # of steps to pebble node i (?): minimal expected # of steps to pebble a random challenge Only care about time! ? =?1? + + ??(?) ?

  46. Remove random challenge in randomized pebbling game idj+1 [?] idj [?] Pk P1 P0 configuration ? (?0) steps more tricks to argue it Put into a game w.o. random challenge to take k steps Only ask

  47. Expectation game 1 2 3 7 4 8 5 9 6 password Configuration P0 take at least (?0) 2steps Challenge 1 Adversary Challenger

  48. Expectation game 1 2 3 7 4 8 5 9 6 password Configuration P1 take at least (?0) 2steps Adversary Challenger

  49. Expectation game 1 2 3 7 4 8 5 9 6 password Configuration P2 take at least (?0) 2steps Challenge 2 Finished take at least (?2) 3steps Adversary Challenger

  50. Expectation game 1 2 3 7 4 8 5 9 6 password Configuration P3 take at least (?0) 2steps Challenge 2 take at least (?2) 3steps Adversary Challenger

Related


Multi-Head Attention Layers in Transformers

Multi-Head Attention Layers in Transformers

reign
Precision Oncology Research using Deep Learning Models

Precision Oncology Research using Deep Learning Models

hafsa
Strong Average-Case Circuit Lower Bounds: A Brief Overview

Strong Average-Case Circuit Lower Bounds: A Brief Overview

adriana
FIREX-AQ Data Management Plan and Reporting Guidelines

FIREX-AQ Data Management Plan and Reporting Guidelines

tony
Innovative Approaches in Radiation Therapy for Prostate Cancer

Innovative Approaches in Radiation Therapy for Prostate Cancer

cleopas
Code Reuse Ten Years Later: A Study on Gadget Finding

Code Reuse Ten Years Later: A Study on Gadget Finding

daniella
Progress on R&D of the WCDA Experiment

Progress on R&D of the WCDA Experiment

kell237
Important Information for Parents from MIMS Teachers

Important Information for Parents from MIMS Teachers

sall
Meet Our Cozy Little Cottage Family in Yate

Meet Our Cozy Little Cottage Family in Yate

jete_508
Real-time Monitoring and Detection of Android Privacy Leakage

Real-time Monitoring and Detection of Android Privacy Leakage

sam_pla
Understanding Luxury Brand Purchases by Millennials: Applying Generational Cohort Theory

Understanding Luxury Brand Purchases by Millennials: Applying Generational Cohort Theory

olse_han
Framework for Evaluating Critical Thinking Apps: Enhancing Analytical Skills

Framework for Evaluating Critical Thinking Apps: Enhancing Analytical Skills

fentress_k
Advances in Nanoparticle-Enhanced Photosensors for UV Light Detection and Quantum Confinement Research

Advances in Nanoparticle-Enhanced Photosensors for UV Light Detection and Quantum Confinement Research

kitz_1
Introduction to Static Analysis in C.K. Chen's Presentation

Introduction to Static Analysis in C.K. Chen's Presentation

rhew_den
Smart Predictive Maintenance of Mechatronic Systems with Digital Twins

Smart Predictive Maintenance of Mechatronic Systems with Digital Twins

fier637
Collaborative Global-Local Networks for Memory-Efficient Segmentation of Ultra-High Resolution Images

Collaborative Global-Local Networks for Memory-Efficient Segmentation of Ultra-High Resolution Images

ziglar_z
R Short Course Session 5 Overview: Linear and Logistic Regression

R Short Course Session 5 Overview: Linear and Logistic Regression

con_ore
Optimal SVD Based TXBF for Next-Gen WiFi Development

Optimal SVD Based TXBF for Next-Gen WiFi Development

aner379
Entity-Relationship Model in Databases

Entity-Relationship Model in Databases

adelin
Kalman Filter Overview by Po-Chen Wu

Kalman Filter Overview by Po-Chen Wu

tmcla
Clinical Virology Case Studies with Derrick Chen, MD

Clinical Virology Case Studies with Derrick Chen, MD

medidoc
Protecting Virtual Function Tables Integrity: VTint System Overview

Protecting Virtual Function Tables Integrity: VTint System Overview

shikl

More Related Content