Investigate "Balloon Hash" as alternative for Argon2 or Scrypt #40
Comments
|
Avoid (not in order because they’re all bad): Balloon hashing: arguably better than Argon2 since it's similar in strength whilst having a more impressive design (e.g. no separate variants, resistance to cache attacks, easy to implement with standard cryptographic hash functions, and performant). Unfortunately, it has seen virtually no adoption. There seems to be no information on recommended parameters, the reference implementation is henrycg/balloon#5 (comment), there are no official test vectors, there's no RFC draft, and only a handful of people have implemented the algorithm, with it not being in any popular libraries. Therefore, just use Argon2, which has now been standardised and widely adopted. |
|
I'll take one-by-one your arguments:
As such, I don't see yet any compelling reason why not to use Balloon Hash. |
BTW it's arguments of Samuel Lucas |
|
@samuel-lucas6 Could you comments this, please? |
|
I'd recommend sticking with Argon2, at least for the time being. It's among the best we have in practice but not perfect. It should be stronger and significantly faster than Balloon/BKDF. I don't see any reason to use scrypt over Argon2. I don't think it's a good idea to use algorithms that don't have a proper specification or that have a specification that's subject to change. This doesn't have to be an RFC, but it needs to be documented in some fashion with rationale. I technically did do a version of the Internet-Draft for the Rust Crypto implementation of Balloon, but it's not the ideal way to specify Balloon. Then BKDF is a work in progress that I'd like further feedback on, just cryptographers/engineers aren't particularly interested. There doesn't seem to be as much research/reading on password hashing compared to some other topics, and it feels like most people have given up after Argon2. The non-academic, cache-hardness proposals like Pufferfish2 and bscrypt have the same issue with no specification and a lack of peer review. They shouldn't be considered suitable for production. I agree with the remainder of what you've said. |
Well, I assume that the original paper describing the algorithm does fit this bill, right? |
Nope because they didn't take the time to properly specify the algorithm. It leaves lots of implementation details unspecified, meaning you'll end up with non-interoperable implementations that potentially offer different security properties/levels of security. |
Besides not specifying which hash algorithm to use, I don't see any meaningful missing details. Could you point to some?
To put things into perspective, this project offers an "experimental" encryption scheme based on ChaCha20, Blake3, X25519, and Argon2, but it doesn't implement any existing standard, outside of "best practices". Thus, interoperability is not an issue. |
The paper pseudocode doesn't define things like
Those are all algorithms with a specification. That sounds more like a protocol than a scheme. I don't think there's anything wrong with doing something like ChaCha20-BLAKE3 as an AEAD with justification, but there's very little justification for using Balloon currently. If you're certain you want to implement it, I'd recommend writing a specification for your version of Balloon. |
|
[I find all of the issues a bit like nit-picking...]
Well, let's assume they are 64 bits in size, and just represent them as big-endian bytes and concatenate them.
64 bit big-endian again.
Which "max parameters"? The rounds and memory size can be arbitrarily large without any issues.
The "encoding" of what?
I believe this is a solved problem, especially since the algorithm works only with counters or indices (64 bit thus) or full blocks.
Indeed, this is the biggest issue, but one could use the latest variant described in the paper, because most other papers have chosen the latest variant to review. With regard to the parallel version (I'm assuming it's the |
In that case, I'm going to unsubscribe from this conversation as there's no point going around in circles. I will just leave you with the following:
|
I am sorry, I didn't meant to offend you.
Here by "arbitrarily" I meant some limit that does make sense in the real world. One would have to apply limits in a practical sense, else the actual code wouldn't be able to run (wouldn't be able to actually allocate memory), or wouldn't finish (if the iterations are too large). With regard to the 64bit counter overflow, given what I've read from the paper, I believe its main purpose is to aid the security proof, because wherever However, the counter can be then increased to a 128 bit integer, or even let to wrap, as I don't believe the whole strength of the algorithm lies in the counter. (Even with 128 bits, if one chooses the max 64 bit value for both memory and size, it can overflow, as for each iteration it's incremented 1+delta*2 times.)
Indeed, but there are two choices, neither of which are good:
With regard to modulo bias,
Compared to what?
Not an issue for my particular use-case. (I need a function that takes a 32 byte key (salt), some data (password), munge on it to thwart brute-force guessing attacks, and spit out another 32 bytes.) |
Salt is not secret. Then what is the problem in this case? |
From what I gather, the general consensus is that an attacker could observe which salt is being used, kind of fingerprinting if not exactly the exact value of the salt, for example by noticing patterns in memory access. Thus, it can expose "which" user is login-in, or which key is being encrypted / decrypted. |
|
IMHO revealing non-secret data is better than revealing secret data.
This is like metadata leakage, not secret data leakage. |
See:
The text was updated successfully, but these errors were encountered: