54

I wonder if it can be approximated how much of a security margin the new argon2 hash, winner of the password hashing competition, can give over bcrypt or PBKDF2, for an attacker using large GPU systems.

Practically speaking, if I have had a key-derivation-function running for one second on my server, how much of a security margin am I roughly gaining by running argon2 for one second (e.g. using 2GB of memory, otherwise default settings).

I am looking for more of a theoretical answer / guess based on the cryptographic differences between these schemes.

Jens Bannmann
  • 105
  • 5
azren
  • 751
  • 1
  • 5
  • 7

1 Answers1

34

Coming up with a specific number is hard. Realistically, all three options take you well out of the realm of ever having more than the absolute worst passwords brute-forced by an attacker.

The primary gain of scrypt and Argon2 over bcrypt is a hit to parallelism due to the addition of memory requirements. GPUs with thousands of cores will need (but don't have) absurd amounts of memory, so most of those cores will need to remain idle. FPGAs and ASICs become much more expensive as they have to incorporate large amounts of memory, so you're really just forcing an attacker to trade a significantly larger number of dollars for equivalent parallelism.

The primary gains of Argon2 over scrypt (anyone correct me if I'm wrong):

  • improved resistance against Time Memory Trade-Off Attacks (TMTO),
  • better side-channel resistance (scrypt is vulnerable to cache-timing attacks due to secret-dependent memory access patterns), and
  • the ability to increase CPU and memory requirements independently of one another.
Spej
  • 3
  • 2
Stephen Touset
  • 11,162
  • 1
  • 39
  • 53