1

In Balloon, a salt is used seed a CSPRNG that picks dependency blocks pseudo-randomly. This salt is obviously not a secret, and an adversary can know that it would pick a given sequence.

For example, if we have memory blocks 1 … 10, this salted CSPRNG would always pick (say) 3, 9, 1, 0, 5, 5, … every single time, for every password.

Since the adversary now knows that the access pattern is always 3, 9, 1, 0, 5, 5, …, My question is: how is this any different than following just the ascending sequence 0, 1, 2, …, 10 instead?

To rephrase: I'm suspecting, both are sequential arithmetic orders, except one is in an euclidean space, where the salted CSPRNG is in a non-euclidean space. So, if we move to the non-euclidean space (by a transformation function), then it'd appear as a sequential arithmetic order. How is this helping "memory hardness"? Why can't we just pick the arithmetic sequence in an euclidean space?

Basically, my concern is: the salted CSPRNG is just complicating us from seeing what's actually happening, and that the security reality is no different than the sequential arithmetic ascension in euclidean space.

caveman
  • 721
  • 3
  • 15

1 Answers1

0

The answer I got from the comments seem to conclude:

  • CSPRNG Key independent MHKDFs are no different than simply sequentially picking dependency blocks in a boring way (like, always pick $10$ blocks before the current block that you want to update).
  • The only difference: by picking a new salt, one could hope that there no ASICs that's made for the sequence CSPRNG sequence that the salt makes.
caveman
  • 721
  • 3
  • 15