Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Course Business
bull I am traveling April 25-May 3rd
bull Will still be available by e-mail to answer questions
bull Final Exam Review on Monday April 24th
bull Guest Lectures on April 26 and 28 (TBD)
bull Final Exam on Monday May 1st (in this classroom)bull Adib will proctor
bull Practice Final Exam released soon
1
CryptographyCS 555
Topic 39 Password Hashing
2
Password Storage
3
Username
jblocki
+
jblocki 123456
SHA1(12345689d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062
Hash
85e23cfe0021f584e3db87aa72630a9a2345c062
Salt
89d978034a3f6
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
CryptographyCS 555
Topic 39 Password Hashing
2
Password Storage
3
Username
jblocki
+
jblocki 123456
SHA1(12345689d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062
Hash
85e23cfe0021f584e3db87aa72630a9a2345c062
Salt
89d978034a3f6
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Password Storage
3
Username
jblocki
+
jblocki 123456
SHA1(12345689d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062
Hash
85e23cfe0021f584e3db87aa72630a9a2345c062
Salt
89d978034a3f6
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Memory Costs Equitable Across Architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
iMHF (fGH)
12
3
4Output fGH (pwdsalt)= L4
Input pwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)
bull Maximum indegree 120575120575 = O 1
1
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
12
3
4 Output L4Inputpwd salt
1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)
1
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
-reducible
119862119862119862119862 = 119874119874 119894119894162
bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992
1198901198902-reducible
119862119862119862119862 = 119874119874 119894119894171
bull Argon2i (latest version) is 119890119890 119874119874 1198991198993
1198901198903-reducible
119862119862119862119862 = 119874119874 119894119894177
bull Similar picture for most other iMHF candidates [AGKKOPRRR16]
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816
helliphelliphellip
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
33208 | |
35034 | |
35400 | |
35765 | |
36130 | |
36495 | |
36861 | |
37226 | |
37591 | |
37956 | |
38322 | |
38687 | |
39052 | |
39417 | |
39783 | |
40148 | |
40513 |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
DATE | DATE | NUMBER OF USERS | WORLD | WORLD | INFORMATION | DATE | DATE | NUMBER OF USERS | DATE | DATE | acctsyr | |||||||||||||||||||||||||||||||||||||
POPULATION | POPULATION | SOURCE | ||||||||||||||||||||||||||||||||||||||||||||||
December-90 | 0 | 3 | 15 | 020 | 00261 | 000 | 1 | December-90 | 3 | 1 | December-90 | 3 | 1 | December-90 | 3 | 3 | December-90 | 3 | 1 | 3 | ||||||||||||||||||||||||||||
December-95 | December-95 | 0 | 16 | 040 | 80 | 040 | IDC | 100 | 00522 | 180 | 12 | December-95 | 192 | December-95 | 16 | 1778 | December-95 | 48 | 28448 | December-95 | 48 | 3 | 48 | |||||||||||||||||||||||||
December-96 | December-96 | 0 | 36 | 090 | 180 | 090 | IDC | 200 | 00783 | 188 | 13132 | December-96 | 472752 | December-96 | 36 | 1994916 | December-96 | 126 | 71816976 | December-96 | 1368 | 38 | 126 | |||||||||||||||||||||||||
December-97 | December-97 | 0 | 70 | 170 | 350 | 170 | IDC | 300 | 01043 | 209 | 16263 | December-97 | 113841 | December-97 | 70 | 2238295752 | December-97 | 280 | 15668070264 | December-97 | 322 | 46 | 280 | |||||||||||||||||||||||||
December-98 | December-98 | 0 | 147 | 360 | 735 | 360 | CI Almanac | 400 | 01303 | 230 | 19391 | December-98 | 2850477 | December-98 | 147 | 25113678337 | December-98 | 6615 | 3691710715604 | December-98 | 7791 | 53 | 6615 | |||||||||||||||||||||||||
December-99 | December-99 | 0 | 248 | 410 | 1240 | 410 | Nua Ltd | 500 | 01563 | 251 | 22517 | December-99 | 5584216 | December-99 | 248 | 28177547095 | December-99 | 1240 | 6988031679463 | December-99 | 15376 | 62 | 1240 | |||||||||||||||||||||||||
March-00 | March-00 | 0 | 304 | 500 | 1520 | 500 | Nua Ltd | 600 | 01822 | 272 | 25638 | March-00 | 7793952 | December-00 | 361 | 3161520784 | December-00 | 19855 | 11413090030294 | December-00 | 2527 | 7 | 19855 | |||||||||||||||||||||||||
July-00 | July-00 | 0 | 359 | 590 | 1795 | 590 | Nua Ltd | 700 | 02081 | 293 | 28754 | July-00 | 10322686 | December-01 | 543 | 35472263197 | December-01 | 3258 | 1926143891578 | December-01 | 39639 | 73 | 3258 | |||||||||||||||||||||||||
December-00 | December-00 | 0 | 361 | 580 | 1805 | 580 | Internet World Stats | 800 | 02338 | 313 | 31864 | December-00 | 11502904 | December-02 | 607 | 39799879307 | December-02 | 39455 | 2415852673913 | December-02 | 47953 | 79 | 39455 | |||||||||||||||||||||||||
March-01 | March-01 | 0 | 458 | 760 | 2290 | 760 | Nua Ltd | 900 | 02852 | 334 | 34967 | March-01 | 16014886 | December-03 | 719 | 44655464582 | December-03 | 5033 | 32107279034493 | December-03 | 61115 | 85 | 5033 | |||||||||||||||||||||||||
June-01 | June-01 | 0 | 479 | 790 | 2395 | 790 | Nua Ltd | 1000 | 03107 | 355 | 38061 | June-01 | 18231219 | December-04 | 817 | 50103431261 | December-04 | 61275 | 40934503340285 | December-04 | 7353 | 9 | 61275 | |||||||||||||||||||||||||
August-01 | August-01 | 0 | 513 | 860 | 2565 | 860 | Nua Ltd | 1100 | 03361 | 396 | 44221 | August-01 | 22685373 | December-05 | 1018 | 56216049875 | December-05 | 8144 | 57227938772657 | December-05 | 9467 | 93 | 8144 | |||||||||||||||||||||||||
April-02 | April-02 | 0 | 558 | 860 | 2790 | 860 | Internet World Stats | 1200 | 03614 | 417 | 47284 | April-02 | 26384472 | December-06 | 1093 | 6307440796 | December-06 | 9291 | 68940327899894 | December-06 | 10602 | 97 | 9291 | |||||||||||||||||||||||||
July-02 | July-02 | 0 | 569 | 910 | 2845 | 910 | Internet World Stats | 1300 | 03866 | 437 | 50334 | July-02 | 28640046 | December-07 | 1319 | 70769485731 | December-07 | 11871 | 93344951678825 | December-07 | 13454 | 102 | 11871 | |||||||||||||||||||||||||
September-02 | September-02 | 0 | 587 | 940 | 2935 | 940 | Internet World Stats | 1400 | 04117 | 458 | 53371 | September-02 | 31328777 | December-08 | 1574 | 7940336299 | December-08 | 14953 | 124980893346059 | December-08 | 16527 | 105 | 14953 | |||||||||||||||||||||||||
March-03 | March-03 | 0 | 608 | 970 | 3040 | 970 | Internet World Stats | 1500 | 04366 | 478 | 56394 | March-03 | 34287552 | December-09 | 1802 | 89090573275 | December-09 | 18020 | 160541213040896 | December-09 | 19462 | 108 | 18020 | |||||||||||||||||||||||||
September-03 | September-03 | 0 | 677 | 1060 | 3385 | 1060 | Internet World Stats | 1600 | 04614 | 498 | 59401 | September-03 | 40214477 | December-10 | 1971 | 99959623214 | December-10 | 20696 | 197020417355075 | December-10 | 21681 | 11 | 20696 | |||||||||||||||||||||||||
October-03 | October-03 | 0 | 682 | 1070 | 3410 | 1070 | Internet World Stats | 1700 | 0486 | 518 | 62392 | October-03 | 42551344 | |||||||||||||||||||||||||||||||||||
December-03 | December-03 | 0 | 719 | 1110 | 3595 | 1110 | Internet World Stats | 1800 | 02852 | 538 | 65365 | December-03 | 46997435 | |||||||||||||||||||||||||||||||||||
February-04 | February-04 | 0 | 745 | 1150 | 3725 | 1150 | Internet World Stats | 1900 | 03107 | 558 | 6832 | February-04 | 508984 | |||||||||||||||||||||||||||||||||||
May-04 | May-04 | 0 | 757 | 1170 | 3785 | 1170 | Internet World Stats | 2000 | 03361 | 597 | 7417 | May-04 | 5614669 | |||||||||||||||||||||||||||||||||||
October-04 | October-04 | 0 | 812 | 1270 | 4060 | 1270 | Internet World Stats | 2100 | 03614 | 616 | 77064 | October-04 | 62575968 | |||||||||||||||||||||||||||||||||||
December-04 | December-04 | 0 | 817 | 1270 | 4085 | 1270 | Internet World Stats | 2200 | 03866 | 636 | 79935 | December-04 | 65306895 | |||||||||||||||||||||||||||||||||||
March-05 | March-05 | 0 | 888 | 1390 | 4440 | 1390 | Internet World Stats | 2300 | 04117 | 655 | 82782 | March-05 | 73510416 | |||||||||||||||||||||||||||||||||||
June-05 | June-05 | 0 | 938 | 1460 | 4690 | 1460 | Internet World Stats | 2400 | 04366 | 674 | 85606 | June-05 | 80298428 | |||||||||||||||||||||||||||||||||||
September-05 | September-05 | 0 | 957 | 1490 | 4785 | 1490 | Internet World Stats | 2500 | 04614 | 692 | 88404 | September-05 | 84602628 | |||||||||||||||||||||||||||||||||||
November-05 | November-05 | 0 | 972 | 1520 | 4860 | 1520 | Internet World Stats | 2600 | 0486 | 711 | 91176 | November-05 | 88623072 | |||||||||||||||||||||||||||||||||||
December-05 | December-05 | 0 | 1018 | 1570 | 5090 | 1570 | Internet World Stats | 2700 | 05348 | 729 | 93921 | December-05 | 95611578 | |||||||||||||||||||||||||||||||||||
March-06 | March-06 | 0 | 1023 | 1570 | 5115 | 1570 | Internet World Stats | 2800 | 05589 | 747 | 96638 | March-06 | 98860674 | |||||||||||||||||||||||||||||||||||
June-06 | June-06 | 0 | 1043 | 1600 | 5215 | 1600 | Internet World Stats | 2900 | 05828 | 783 | 101984 | June-06 | 106369312 | |||||||||||||||||||||||||||||||||||
September-06 | September-06 | 0 | 1086 | 1670 | 5430 | 1670 | Internet World Stats | 3000 | 06065 | 801 | 104611 | September-06 | 113607546 | |||||||||||||||||||||||||||||||||||
December-06 | December-06 | 0 | 1093 | 1670 | 5465 | 1670 | Internet World Stats | 3100 | 063 | 818 | 107207 | December-06 | 117177251 | |||||||||||||||||||||||||||||||||||
March-07 | March-07 | 0 | 1129 | 1720 | 5645 | 1720 | Internet World Stats | 3200 | 06534 | 835 | 109771 | March-07 | 123931459 | |||||||||||||||||||||||||||||||||||
June-07 | June-07 | 0 | 1173 | 1780 | 5865 | 1780 | Internet World Stats | 3300 | 06765 | 852 | 112301 | June-07 | 131729073 | |||||||||||||||||||||||||||||||||||
September-07 | September-07 | 0 | 1245 | 1890 | 6225 | 1890 | Internet World Stats | 3400 | 06993 | 869 | 114797 | September-07 | 142922265 | |||||||||||||||||||||||||||||||||||
December-07 | December-07 | 0 | 1319 | 2000 | 6595 | 2000 | Internet World Stats | 3500 | 0722 | 886 | 117258 | December-07 | 154663302 | |||||||||||||||||||||||||||||||||||
March-08 | March-08 | 0 | 1407 | 2110 | 7035 | 2110 | Internet World Stats | 3600 | 07665 | 902 | 119683 | March-08 | 168393981 | |||||||||||||||||||||||||||||||||||
June-08 | June-08 | 0 | 1463 | 2190 | 7315 | 2190 | Internet World Stats | 3700 | 07884 | 918 | 122071 | June-08 | 178589873 | |||||||||||||||||||||||||||||||||||
September-08 | September-08 | 0 | 1504 | 2250 | 7520 | 2250 | Internet World Stats | 3800 | 08101 | 949 | 126736 | September-08 | 190610944 | |||||||||||||||||||||||||||||||||||
December-08 | December-08 | 0 | 1574 | 2350 | 7870 | 2350 | Internet World Stats | 3900 | 08314 | 964 | 12901 | December-08 | 20306174 | |||||||||||||||||||||||||||||||||||
March-09 | March-09 | 0 | 1596 | 2380 | 7980 | 2380 | Internet World Stats | 4000 | 08525 | 971 | 13 | March-09 | 20748 | |||||||||||||||||||||||||||||||||||
June-09 | June-09 | 0 | 1669 | 2470 | 8345 | 2470 | Internet World Stats | 4100 | 08733 | 998 | 134 | June-09 | 223646 | |||||||||||||||||||||||||||||||||||
September-09 | September-09 | 0 | 1734 | 2560 | 8670 | 2560 | Internet World Stats | 4200 | 08938 | 1018 | 137 | September-09 | 237558 | |||||||||||||||||||||||||||||||||||
December-09 | December-09 | 0 | 1802 | 2660 | 9010 | 2660 | Internet World Stats | 4300 | 0914 | 1051 | 142 | December-09 | 255884 | |||||||||||||||||||||||||||||||||||
June-10 | June-10 | 0 | 1966 | 2870 | 9830 | 2870 | Internet World Stats | 4400 | 09339 | 1078 | 146 | June-10 | 287036 | |||||||||||||||||||||||||||||||||||
September-10 | September-10 | 0 | 1971 | 2880 | 9855 | 2880 | Internet World Stats | 4500 | 09728 | 1112 | 151 | September-10 | 297621 | |||||||||||||||||||||||||||||||||||
09917 | 000 | 155333333333 | ||||||||||||||||||||||||||||||||||||||||||||||
159833333333 |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Everybody |
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Biometrics
59
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Hardware Tokens
61
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Password Managers
bull Password Management Software
67
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]