Scrypt Is Maximally Memory-Hard

Alwen, Joël; Chen, Binyi; Pietrzak, Krzysztof; Reyzin, Leonid; Tessaro, Stefano

doi:10.1007/978-3-319-56617-7_2

Cited by 59 publications

(25 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Data dependent MHFs such as SCRYPT [9] have the previously mentioned side-channel vulnerabilities. Even so, SCRYPT has been found to be optimally memory hard with respect to AT complexity [39], [89]. The authors of Argon2 [18], winner of the password hashing competition [8], now recommend running in hybrid mode Argon2id to balance side-channel resistance and resistance to iMHF attacks.…”

Section: Data (In)dependent Memory Hard Functionsmentioning

confidence: 99%

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with 10 5 hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker -if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of 500 million cracked passwords is less than 100 times the total value of 5 million passwords). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. In particular, we find that because MHFs substantially increase guessing costs a rational attacker will give up well before he cracks most user passwords and this prediction holds even if the attacker does not encounter diminishing returns for additional cracked passwords. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.

show abstract

Section: Data (In)dependent Memory Hard Functionsmentioning

confidence: 99%

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…We remark that the way our hard function f RO makes use of the random oracle is quite standard and analogous to several existing cryptographic constructions (e.g., [4,5,52]), so it is unlikely that the random oracle methodology fails to apply to our hard function f RO (see more discussion in Section 1.2). Thus, one way to interpret our result is that either f h indeed shows a fundamental limitation of parallelization in the MPC model, or gives a natural counter-example for the random oracle methodology (which would be surprising).…”

Section: Our Results and Techniquesmentioning

confidence: 99%

“…The way that our hard function uses the random oracle is analogous to several existing cryptographic constructions; in particular, the line of research in memory hard functions (MHFs) [3,4,5,6]. MHFs are hash functions whose evaluation cost is dominated by memory cost.…”

Section: Related Workmentioning

confidence: 99%

“…For all natural constructions, the heuristic holds so far and sometimes the proved security in the RO model matches the best-known attacks [31,34,35]. Indeed, the random oracle methodology is well-accepted in practice where many RO-based constructions (e.g., RSA-OAEP) have been used for years as part of the standard in practical cryptographic systems [5,25].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the Hardness of Massively Parallel Computation

Chung

Sun

2020

Proceedings of the 32nd ACM Symposium on Parallelism in Algorithms and Architectures

View full text Add to dashboard Cite

We investigate whether there are inherent limits of parallelization in the (randomized) massively parallel computation (MPC) model by comparing it with the (sequential) RAM model. As our main result, we show the existence of hard functions that are essentially not parallelizable in the MPC model. Based on the widely-used random oracle methodology in cryptography with a cryptographic hash function h : {0, 1} n → {0, 1} n computable in time t h , we show that there exists a function that can be computed in time O(T • t h) and space S by a RAM algorithm, but any MPC algorithm with local memory size s < S/c for some c > 1 requires at least Ω(T) 1 rounds to compute the function, even in the average case, for a wide range of parameters n ≤ S ≤ T ≤ 2 n 1/4. Our result is almost optimal in the sense that by taking T to be much larger than t h , e.g., T to be sub-exponential in t h , to compute the function, the round complexity of any MPC algorithm with small local memory size is asymptotically the same (up to a polylogarithmic factor) as the time complexity of the RAM algorithm. Our result is obtained by adapting the so-called compression argument from the data structure lower bounds and cryptography literature to the context of massively parallel computation.

show abstract

“…Menurut Jo¨el Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin, Stefano Tessaro, Scrypt adalah calon MHF sederhana yang dirancang oleh Percival, dan dijelaskan dalam RFC 7914 [5]. Telah digunakan dalam sejumlah cryptocurrency dan telah menjadi inspirasi bagi Argon2d, salah satu pemenang dari kata sandi baru-baru ini kompetisi-hashing.…”

Section: Landasan Teoriunclassified

ANALISA KEMUNGKINAN ALGORITMA SHA256 & ALGORITMA SCRYPT DALAM MENEMUKAN BLOK BARU PADA TEKNOLOGI BLOCKCHAIN

Mulyadi

Setianto

2021

proxies

View full text Add to dashboard Cite

In cryptocurrency, a block is a record of new transactions that could mean the location of cryptocurrency, medical data, or even voting records. Once each block is completed it's added to the chain, creating a chain of blocks: a blockchain. Because cryptocurrencies are encrypted, processing any transactions means solving complicated math problems using specified algorithm like SHA256 and Scrypt. People who solve these equations are rewarded with cryptocurrency in a process called mining. In this study the authors will find out the comparison of SHA256 and Scrypt to work on the blockchain. To find out the comparison between SHA256 and Scrypt some test will be done in this research. The test were given to both algorithm on some test System to observe which algorithm that has highest probability in finding new block. the results of the tests done in this paper show that Scrypt is much slower to hash than SHA256 but the Scrypt algorithm has greater chance to find a new block.

show abstract

Scrypt Is Maximally Memory-Hard

Cited by 59 publications

References 14 publications

On the Economics of Offline Password Cracking

On the Economics of Offline Password Cracking

On the Hardness of Massively Parallel Computation

ANALISA KEMUNGKINAN ALGORITMA SHA256 & ALGORITMA SCRYPT DALAM MENEMUKAN BLOK BARU PADA TEKNOLOGI BLOCKCHAIN

Contact Info

Product

Resources

About