Skip to main content
SpringerLink
Log in

Cryptanalytic time–memory trade-off for password hashing schemes

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Increasing threat of password leakage from compromised password hashes demands a resource consuming password-hashing algorithm to prevent the precomputation of the password hashes. A class of password-hashing schemes (PHS) provides such a defense by making the design Memory hard. This ensures that any reduction in the memory consumed by the algorithm leads to an exponential increase in its runtime. The security offered by a memory-hard PHS design is measured in terms of its time–memory trade-off (TMTO) defense. Another important measure for a good PHS is its efficiency in utilizing all the available memory as quickly as possible, and fast running time when more than the required memory is available. In this work, we present a simple technique to analyze TMTO for a password-hashing scheme which can be represented as a directed acyclic graph (DAG). The nodes of the DAG correspond to the storage required by the algorithm and the edges correspond to the flow of the execution. Our proposed technique provides expected runtimes at varied levels of available storage utilizing the DAG representation of the algorithm. We show the effectiveness of our proposed technique by applying it on three designs from the “Password Hashing Competition" (PHC)—Argon2-Version 1.2.1 (the PHC winner), Catena-Version 3.2 and Rig-Version 2. Our analysis shows that Argon2i is not providing expected memory hardness which is also highlighted in a recent work by Corrigan-Gibbs et al. We analyze these PHS for performance under various settings of time and memory complexities. Our experimental results show (i) simple DAGs for PHS are efficient but not memory hard, (ii) complex DAGs for PHS are memory hard but less efficient, and (iii) combination of two simple graphs in the representation of a DAG for PHS achieves both memory hardness and efficiency.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

References

  1. Saltzer, J.H.: Protection and the control of information sharing in MULTICS. In: Schorr, H., Perlis, A.J., Weiner, P., Frazer, W.D. (eds.) Proceedings of the Fourth Symposium on Operating System Principles, SOSP 1973, Thomas J. Watson, Research Center, Yorktown Heights, New York, USA, October 15–17, 1973. ACM (1973)

  2. Morris, R. and Thomson, K., Password security: A case history, Communications of the ACM, 22 (1979), pp. 594–597. https://rist.tech.cornell.edu/6431papers/MorrisThompson1979.pdf

  3. Password Hashing Competition (PHC) (2014). https://password-hashing.net/#phc

  4. Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCon (2009). https://www.tarsnap.com/scrypt/scrypt.pdf

  5. Forler, C., Lucks, S., Wenzel, J.: Catena: a memory-consuming password scrambler. IACR Cryptol. ePrint Arch. 2013, 525 (2013)

    Google Scholar 

  6. Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications . Submission to Password Hashing Competition (PHC) (2015). https://password-hashing.net/argon2-specs.pdf

  7. Forler, C., Lucks, S., Wenzel, J.: The Catena Password-Scrambling Framework. Submission to PHC (2015). https://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Publications/catena-v3.3.pdf

  8. Chang, D., Jati, A., Mishra, S., Sanadhya, S.K.: Rig: a simple, secure and flexible design for password hashing. In: Lin, D., Yung, M., Zhou, J. (eds.) Information Security and Cryptology—10th International Conference, Inscrypt 2014, Beijing, China, December 13–15, 2014, Revised Selected Papers, Lecture Notes in Computer Science, vol. 8957. Springer, pp. 361–381 (2014)

  9. Hellman, Martin E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)

    Article  MathSciNet  MATH  Google Scholar 

  10. Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, Lecture Notes in Computer Science, vol. 2729. Springer, pp. 617–630 (2003)

  11. Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard functions. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part II, Lecture Notes in Computer Science, vol. 9453. Springer, pp. 633–657 (2015)

  12. Corrigan-Gibbs, H., Boneh, D., Schechter, S.E.: Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns. IACR Cryptol. ePrint Arch. 2016, 27 (2016)

    Google Scholar 

  13. Aumasson, J., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. IACR Cryptol. ePrint Arch. 2013, 322 (2013)

    MATH  Google Scholar 

  14. Biryukov, A., Dinu, D., Khovratovich, D.: Argon2 for password hashing and cryptocurrencies (2016). https://datatracker.ietf.org/meeting/96/materials/slides-96-cfrg-1/

  15. Bradley, W.F.: Superconcentration on a pair of butterflies (2014). arXiv preprint arXiv:1401.7263

  16. Lengauer, T., Tarjan, R.E.: Upper and lower bounds on time-space tradeoffs. In: Fischer, M.J., DeMillo, R.A., Lynch, N.A., Burkhard, W.A., Aho, A.V. (eds.) Proceedings of the 11th Annual ACM Symposium on Theory of Computing, April 30–May 2, 1979, Atlanta, Georgia, USA. ACM, pp. 262–277 (1979)

  17. Aumasson, J.P., Neves S., Wilcox-O’Hearn Z., Winnerlein C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: Jacobson M., Locasto M., Mohassel P., Safavi-Naini R. (eds) Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science, vol 7954, pp. 119–135. Springer, Berlin (2013)

  18. Cooley, James W., Tukey, John W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19(90), 297–301 (1965)

    Article  MathSciNet  MATH  Google Scholar 

  19. Biryukov, A., Dinu, D., Khovratovich, D., Josefsson, S.: The memory-hard Argon2 password hash and proof-of-work function. IRTF Crypto Forum Research Group Active Internet-Draft (cfrg RG): draft-irtf-cfrg-argon2-00 (2016). https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/

  20. Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications, Version 1.3 (2016). https://www.cryptolux.org/images/0/0d/Argon2.pdf

  21. Memory-hard scheme Argon2 (2016). https://github.com/khovratovich/Argon2 (162 commits)

  22. Reference Implementation of Catena, a memory-consuming password scrambler (2015). https://github.com/medsec/catena (75 commits)

  23. Reference and Optimized implementations of Rig, A simple, secure and flexible design for Password Hashing (2016). https://github.com/arpanj/Rig

  24. A flexible implementation of Colin Percival’s scrypt (2016). https://github.com/floodyberry/scrypt-jane (58 commits)

Download references

Author information

Authors and Affiliations

  1. Indraprashtha Institute of Information Technology, Delhi (IIIT-Delhi), Delhi, India

    Donghoon Chang, Arpan Jati & Sweta Mishra

  2. Indian Institute of Technology, Ropar (IIT-Ropar), Ropar, India

    Somitra Kumar Sanadhya

Authors
  1. Donghoon Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arpan Jati
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sweta Mishra
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Somitra Kumar Sanadhya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sweta Mishra.

Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 199 KB)

Supplementary material 2 (pdf 262 KB)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chang, D., Jati, A., Mishra, S. et al. Cryptanalytic time–memory trade-off for password hashing schemes. Int. J. Inf. Secur. 18, 163–180 (2019). https://doi.org/10.1007/s10207-018-0405-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-018-0405-5

Keywords

Search

Navigation