CRII: SaTC: Towards the Development of Stronger Memory-Hard Functions for Secure Password Hashing

CRII：SaTC：致力于开发更强的内存硬函数以实现安全密码散列

• 批准号: 1755708
• 负责人: Jeremiah Blocki
• 金额: $ 17.5万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-08-01 至 2020-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1755708&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Development; Stronger

Recent data breaches have exposed billions of user passwords to the dangerous threat of an offline password attacker who attempts to guess each user's password by brute force. Because an offline attacker can validate each password guess by itself using stolen password hashes from a data breach it is not possible to "lock out" an offline attacker after several incorrect guesses. The attacker is limited only by the computational resources necessary to mount a brute-force attack. To mitigate the risk of an offline attack the goal of a secure password hashing algorithm is to ensure that a brute force attack is prohibitively expensive even if the attacker has access to customized hardware such as an Application Specific Integrated Circuit (ASIC) that is optimized for password cracking. Memory hard functions (MHFs), functions whose computation require a large amount of memory, are a crucial cryptographic tool to achieve this goal since memory is expensive even on an ASIC. This project advances scientific understanding of memory hard functions and will directly impact future cryptographic standards for password hashing.The project is developing improved cryptanalysis techniques to evaluate the security of an MHF resulting in a deeper understanding of currently deployed MHFs. A main goal of this work is to design practical constructions of MHFs with provably optimal memory hardness in terms of bandwidth hardness, sustained space complexity, and amortized area-time complexity. Furthermore, the project focuses on establishing a scientific basis for tuning the parameters of an MHF to ensure that brute-force attacks are prohibitively expensive.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

最近的数据泄露事件使数十亿用户密码暴露在离线密码攻击者的危险威胁之下，这些攻击者试图通过暴力破解来猜测每个用户的密码。由于离线攻击者可以使用从数据泄露中窃取的密码散列来验证每个密码猜测，因此在多次错误猜测之后不可能“锁定”离线攻击者。攻击者仅受到发动暴力攻击所需的计算资源的限制。为了降低离线攻击的风险，安全密码散列算法的目标是确保暴力破解的成本过高，即使攻击者可以访问定制的硬件，例如针对密码破解进行优化的专用集成电路（ASIC）。存储器硬函数（MHF），其计算需要大量存储器的函数，是实现这一目标的关键密码工具，因为即使在ASIC上存储器也是昂贵的。该项目推进了对存储器硬函数的科学理解，并将直接影响未来密码散列的加密标准。该项目正在开发改进的密码分析技术，以评估MHF的安全性，从而加深对当前部署的MHF的理解。这项工作的一个主要目标是设计实用的MHF结构，可证明最佳的记忆硬度的带宽硬度，持续的空间复杂性，摊销面积时间复杂性。此外，该项目的重点是建立一个科学的基础，以调整MHF的参数，以确保蛮力攻击是令人望而却步的昂贵。这个奖项反映了NSF的法定使命，并已被认为是值得的支持，通过评估使用基金会的智力价值和更广泛的影响审查标准。

项目成果

Towards a Rigorous Statistical Analysis of Empirical Password Datasets

• DOI: 10.1109/sp46215.2023.10179431
• 发表时间: 2021-05
• 期刊: 2023 IEEE Symposium on Security and Privacy (SP)
• 作者: Jeremiah Blocki;Peiyuan Liu

Locally Decodable/Correctable Codes for Insertions and Deletions

用于插入和删除的本地可解码/可纠正代码

• DOI: 10.4230/lipics.fsttcs.2020.16
• 发表时间: 2020
• 期刊: 40th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science
• 作者: Block, A;Blocki, J;Grigorescu, E;Kulkarni, S;Zhu, M.
• 通讯作者: Zhu, M.

Computationally Data-Independent Memory Hard Functions

计算数据独立的内存硬函数

• DOI: 10.4230/lipics.itcs.2020.36
• 发表时间: 2020
• 期刊: Leibniz international proceedings in informatics
• 作者: Ameri, M;Blocki, J;Zhou, S.
• 通讯作者: Zhou, S.

Relaxed Locally Correctable Codes in Computationally Bounded Channels*

计算有限通道中的宽松局部可校正代码*

• DOI: 10.1109/isit.2019.8849322
• 发表时间: 2019
• 期刊: Relaxed Locally Correctable Codes in Computationally Bounded Channels
• 作者: Blocki, Jeremiah;Gandikota, Venkata;Grigorescu, Elena;Zhou, Samson
• 通讯作者: Zhou, Samson

DALock: Password Distribution-Aware Throttling

• DOI: 10.56553/popets-2022-0084
• 发表时间: 2022-07
• 期刊: Proc. Priv. Enhancing Technol.
• 作者: Jeremiah Blocki;Wuwei Zhang