7

Modern key stretching functions (password-based key derivation functions, also used for password hashing) are memory-hard to mitigate parallel attacks, and as far as I know this is working well. Last year there was the password hashing competition (PHC 2015) where new password hashing functions were presented, Argon2 is going to be the new recommended password hash.

In the last few years Intel introduced its Xeon Phi coprocessors, which are devices with a moderate numbers of cores and great memory. At first sight this seems to be the perfect weapon for a hardware-accelerated dictionary attack (or brute-force) on these memory-hard KDF.

Is it really feasible? How?

If yes, is there a way to emulate this architecture's behaviour on such tasks?

Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
refex
  • 221
  • 2
  • 6

1 Answers1

6

The key idea of memory-hard functions like scrypt and Argon2, as I understand them, is to analyze the cost to the attacker in terms of a time-area product. Time is how much time the attacker spends. Area is how much silicon they use for the attack. The attacker is going to allocate a given area, but once that amount is fixed:

  • More cores means less memory dedicated to each core;
  • More memory dedicated to each core means fewer cores.

This sort of analysis should still apply to the coprocessors you bring up. Since they offer lots of memory per core, this must inevitably come at the cost of fewer cores than could otherwise be put in the same area of silicon. But if the functions' time-area product cost analysis is correct, the attacker should be unable to gain an advantage this way; the speed each core gains from its generous memory allocation should come at a corresponding loss in parallelism.

Note in passing that:

  • Memory complexity implies time complexity (using memory requires time). So algorithms that use a lot of memory are by necessity going to be (at least) proportionately slow.
  • Argon2 supports tuning the memory and time cost more or less independently. I.e., for a given amount of memory, we can always raise the time cost further to thwart a high-memory but low-parallelism attacker.
Luis Casillas
  • 14,703
  • 2
  • 33
  • 53