On Tue, Aug 21, 2018 at 01:19:00 CEST, procmem wrote:
>> Arno Wagner wrote:
> procmem wrote:
> >> Hi Milan, Whonix (privacy distro) maintainer here. We are researching
> >> the best password advice to give to our users and while diceware is a
> >> great improvement over the status quo, the recommendation by
> >> cryptographers in light of quantum computing is to choose pass phrases
> >> with a length equivalent to 256 bits because Grovers will halve the bit
> >> length. This requires phrases to be 20 words long for 256 bits which is
> >> excessive IMO and the reason we are looking at key-stretching for
> >> shorter ones instead.
> >
> > This is completely irrelevant for key derivation. No QC
> > will be able to do a few 1000 iterations of KDF this century,
> > and actually it would need to reverse them. Also, the size of
> > the QC needed is not the password-size, but the minimal memory
> > needed to compute the KDF on it. So with something like
> > Argon2, the QC would need as many bits as the configured memory.
> >
> > In addition, it is still completely unclear whether QC will
> > ever scale. There is no indication that it will after now
> > something like 40 years of intense research. This is just another
> > hype that will not die because too many people believe in magic
> > and normal computing has effectively stopped scaling half a
> > decade back or so.
> >
> > Well, actually, it is pretty clear at this time that QC does
> > not scale at all in practice and that its scale-up over time
> > may well be inverse exponential. If so, it will never be of any use.
> >
>> True. I've seen other cryptographers skeptical of QCs ever materializing
> in practice excepting a black swan event. However they still support
> development of PQ ciphers just in case this happens so we aren't caught
> with our oants down in a cryptocalypse. Projects like Tor are working on
> a PQ KEM just in case.
>> While I'd personally love to see quantum computing never succeed because
> it only benefits institutions and not regular people, common sense says
> its still a plausible scenario to consider until a mathematical proof
> disproving the possibility of a large QC surfaces.
For some ciphers, this makes some sense. But a KFD is not really
vulnerable to QCs, even if they eventually work and scale.
And with the large-memory property of Argon2, the QC even
able to work on it would need to be enormous.
> >
> >>
> >> * What is the time/sec margin added to a password with Argon2id's best
> >> parameters?
> >
> > There are no "best" parameters. It depends on your application and
> > target system. That said, computationally, it is bascially just
> > the same as PBKDF2, ARGON2 just adds a minimal memory requirements
> > or you get exponentially worse.
> >
>> I've read arguments to the effect of LUKS1 PBKDF2 being a badly broken
> Maginot Line in the face of adversaries with GPUs even if configured
> with 10K iterations.
Well, LUKS1 is at arond 500k iteration for a modern CPU, so that
is not a threat. Calling it "badly broken" is pretty much nonsense,
even for only 10k iterations. All a KDF does is lower the amount
of entropy in the passhrase somewhat, it does not prevent breaking
of really bad passphrases and that is not its purpose in the first
place. Its purpose is to shift the boder between "good" and "bad"
a bit and that is it.
> My reasoning was: An adversary who has a ton of GPUs can circumvent
> legacy PBKDF2's key-stretching benefits and then in the event of
> possessing a QC we then basically have nothing to rely on besides the
> master key bit size.
What makes you think a QC would be useful in breaking PBKDF2?
To the best of my knowledge, breaking PBKDF2 requires brute-forcing.
Again to the best of my knowledge, a QC has zero advantage
under these conditions. I may be wrong.
> But I'm getting the impression from you that Argon2 is merely a minor
> improvement over the original PBKDF2 and that the latter is not
> hopelessly defeated by GPUs?
The streteching effect is pretty much the same. The advantage
is that GPUs cannot efficiently calculate Argon2.
> Unlike symmetric key strength and passphrase entropy that I can easily
> calculate, I have no idea how much PBKDF2 can delay bruteforcing by an
> adversary with massive CPU let alone GPU power. Do you know where I can
> read about this?
For GPU-power, nowhere, it is useless against Argon2, unless you
configure a tiny memory footprint. Obvously, you should not do that.
For CPU, it is pretty much "time to calculate hash" = "time for one
step brute-forcing attempt". This is a fundamental limitation, not
one of Argon2.
[...]
> > Just keep in mind that with a good passphrase, even a single, plain,
> > unsalted SHA-1 is unbroken at this time and even secure against the
> > mythical extreme powers (not) of a QC. There is really no need to
> > fret over key derivation, the weaknesses are in entirely different
> > places.
>> Indeed. Hashing is quantum resistant and many PQ systems are based on
> this premise like DJB's SPHINCS signing suite. I guess I didn't frame my
> question properly and you thought I meant PBKDF2 being suddenly
> vulnerable to QC rather than GPUs.
>> Thanks for your insight and work on LUKS. I learn something new every day.
You are welcome. To sum this up, what Argon2 does is it
makes a configurable amount of memory mandatory to attack
it. This is usually set to 1GB or so and makes GPUs completely
unusable as attack platform. CPU-based brute-forcing is not
impacted (if there is enough RAM) and nothing can be done there.
After all, the normal usage scenario also use a normal CPU.
So if a legitimate Argon2 hashing takes 1 sec on a normal
CPU, an attacker gets pretty much the same rate for brute-forcing.
Regards,
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the Whonix-devel
mailing list
“Look here!” Dick began to chuckle. “We’ve got a queer combination to work with—our Sky Patrol has! Suspicious Sandy—and—Superstitious Jeff!” Sandy grinned ruefully, a little sheepishly. Larry smiled and shook his head, warning Dick not to carry his sarcasm any further, as Jeff frowned. 52 "You do doubt me. If you did not, it would never occur to you to deny it. You doubt me now, and you will doubt me still more if you don't read it. In justice to me you must." "That same. She was part Mescalero, anyway." This Act, as disgraceful as any which ever dishonoured the statute-book in the reigns of the Tudors or Stuarts, was introduced into the Commons, on the 12th of May, by Sir William Wyndham, and was resolutely opposed by the Whigs, amongst whom Sir Peter King, Sir Joseph Jekyll, Mr. Hampden, Robert Walpole, and General Stanhope distinguished themselves. They did not convince the majority, which amounted to no less than two hundred and thirty-seven to one hundred and twenty-six. In the Lords, Bolingbroke himself moved the second reading, and it was ably opposed by the Lords Cowper, Wharton, Halifax, Townshend, Nottingham, and others. The greatest curiosity was displayed regarding the part which Oxford would take, as it was known that in the Council he had endeavoured to soften the rigorous clauses; but in the House he followed his usual shuffling habit, declaring that he had not yet considered the question; and, having induced the Opposition to let the second reading pass without a division, he absented himself from the final voting, and thus disgusted both parties and hastened his own fall. The battle of Falkirk, which in itself appeared so brilliant an affair for Prince Charles, was really one of his most serious disasters. The Highlanders, according to their regular custom when loaded with plunder, went off in great numbers to their homes with their booty. His chief officers became furious against each other in discussing their respective merits in the battle. Lord George Murray, who had himself behaved most bravely in the field, complained that Lord John Drummond had not exerted himself, or pursuit might have been made and the royal army been utterly annihilated. This spirit of discontent was greatly aggravated by the siege of the castle of Stirling. Old General Blakeney, who commanded the garrison, declared he would hold out to the last man, in spite of the terrible threats of Lord George Murray if he did not surrender. The Highlanders grew disgusted with work so contrary to their habits; and, indeed, the French engineer, the so-called Marquis de Mirabelle, was so utterly ignorant of his profession, that the batteries which he constructed were commanded by the castle, and the men were so much exposed that they were in danger of being destroyed before they took the fortress. Accordingly, on the 24th of January they struck to a man, and refused to go any more into the trenches. "Haint we bit off more'n we kin chaw. Shorty?" asked Si, as he looked over the increasing gang. "Hadn't we better ask for some help?" "How far would it carry?" Corpril, Company Q, 2 Hundsrdth Injiamiy Volintear "He d?an't care much. F?ather, he likes to be comfortable, and this Inclosure w?an't make much difference to that. 'T?un't as if we wanted the pasture badly, and F?ather he d?an't care about land." "Byles," interrupted Calverley, speaking rapidly, "you are poor—you are in arrear with your rent; a distress will be levied, and then what will become of you—of your wife and the little one? Listen to me! I will give you money to keep a house over your head; and when I am steward, you shall have the first farm at my lord's disposal, if you will only aid me in my revenge! Revenge!" he repeated, vehemently—"but you hesitate—you refuse." "Yes, yes, there is little doubt of that: but how can we come at the truth? Sudbury still retains his wrath against us, and would oppose an arrest; and even could he be waylaid, and brought hither, he is stubborn, and might refuse to answer." HoME一级做人爱c视正版免费
ENTER NUMBET 0017 yitou7.com.cn xrstkj.com.cn mahe3.net.cn www.qiedi2.com.cn www.cunya8.net.cn renfa1.net.cn www.koubu8.net.cn www.maofu7.net.cn 6848.net.cn 875139.org.cn