Abstract
Increasing threat of password leakage from compromised password hashes demands a resource consuming password-hashing algorithm to prevent the precomputation of the password hashes. A class of password-hashing schemes (PHS) provides such a defense by making the design Memory hard. This ensures that any reduction in the memory consumed by the algorithm leads to an exponential increase in its runtime. The security offered by a memory-hard PHS design is measured in terms of its time–memory trade-off (TMTO) defense. Another important measure for a good PHS is its efficiency in utilizing all the available memory as quickly as possible, and fast running time when more than the required memory is available. In this work, we present a simple technique to analyze TMTO for a password-hashing scheme which can be represented as a directed acyclic graph (DAG). The nodes of the DAG correspond to the storage required by the algorithm and the edges correspond to the flow of the execution. Our proposed technique provides expected runtimes at varied levels of available storage utilizing the DAG representation of the algorithm. We show the effectiveness of our proposed technique by applying it on three designs from the “Password Hashing Competition" (PHC)—Argon2-Version 1.2.1 (the PHC winner), Catena-Version 3.2 and Rig-Version 2. Our analysis shows that Argon2i is not providing expected memory hardness which is also highlighted in a recent work by Corrigan-Gibbs et al. We analyze these PHS for performance under various settings of time and memory complexities. Our experimental results show (i) simple DAGs for PHS are efficient but not memory hard, (ii) complex DAGs for PHS are memory hard but less efficient, and (iii) combination of two simple graphs in the representation of a DAG for PHS achieves both memory hardness and efficiency.
Similar content being viewed by others
References
Saltzer, J.H.: Protection and the control of information sharing in MULTICS. In: Schorr, H., Perlis, A.J., Weiner, P., Frazer, W.D. (eds.) Proceedings of the Fourth Symposium on Operating System Principles, SOSP 1973, Thomas J. Watson, Research Center, Yorktown Heights, New York, USA, October 15–17, 1973. ACM (1973)
Morris, R. and Thomson, K., Password security: A case history, Communications of the ACM, 22 (1979), pp. 594–597. https://rist.tech.cornell.edu/6431papers/MorrisThompson1979.pdf
Password Hashing Competition (PHC) (2014). https://password-hashing.net/#phc
Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCon (2009). https://www.tarsnap.com/scrypt/scrypt.pdf
Forler, C., Lucks, S., Wenzel, J.: Catena: a memory-consuming password scrambler. IACR Cryptol. ePrint Arch. 2013, 525 (2013)
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications . Submission to Password Hashing Competition (PHC) (2015). https://password-hashing.net/argon2-specs.pdf
Forler, C., Lucks, S., Wenzel, J.: The Catena Password-Scrambling Framework. Submission to PHC (2015). https://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Publications/catena-v3.3.pdf
Chang, D., Jati, A., Mishra, S., Sanadhya, S.K.: Rig: a simple, secure and flexible design for password hashing. In: Lin, D., Yung, M., Zhou, J. (eds.) Information Security and Cryptology—10th International Conference, Inscrypt 2014, Beijing, China, December 13–15, 2014, Revised Selected Papers, Lecture Notes in Computer Science, vol. 8957. Springer, pp. 361–381 (2014)
Hellman, Martin E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)
Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, Lecture Notes in Computer Science, vol. 2729. Springer, pp. 617–630 (2003)
Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard functions. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part II, Lecture Notes in Computer Science, vol. 9453. Springer, pp. 633–657 (2015)
Corrigan-Gibbs, H., Boneh, D., Schechter, S.E.: Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns. IACR Cryptol. ePrint Arch. 2016, 27 (2016)
Aumasson, J., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. IACR Cryptol. ePrint Arch. 2013, 322 (2013)
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2 for password hashing and cryptocurrencies (2016). https://datatracker.ietf.org/meeting/96/materials/slides-96-cfrg-1/
Bradley, W.F.: Superconcentration on a pair of butterflies (2014). arXiv preprint arXiv:1401.7263
Lengauer, T., Tarjan, R.E.: Upper and lower bounds on time-space tradeoffs. In: Fischer, M.J., DeMillo, R.A., Lynch, N.A., Burkhard, W.A., Aho, A.V. (eds.) Proceedings of the 11th Annual ACM Symposium on Theory of Computing, April 30–May 2, 1979, Atlanta, Georgia, USA. ACM, pp. 262–277 (1979)
Aumasson, J.P., Neves S., Wilcox-O’Hearn Z., Winnerlein C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: Jacobson M., Locasto M., Mohassel P., Safavi-Naini R. (eds) Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science, vol 7954, pp. 119–135. Springer, Berlin (2013)
Cooley, James W., Tukey, John W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19(90), 297–301 (1965)
Biryukov, A., Dinu, D., Khovratovich, D., Josefsson, S.: The memory-hard Argon2 password hash and proof-of-work function. IRTF Crypto Forum Research Group Active Internet-Draft (cfrg RG): draft-irtf-cfrg-argon2-00 (2016). https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications, Version 1.3 (2016). https://www.cryptolux.org/images/0/0d/Argon2.pdf
Memory-hard scheme Argon2 (2016). https://github.com/khovratovich/Argon2 (162 commits)
Reference Implementation of Catena, a memory-consuming password scrambler (2015). https://github.com/medsec/catena (75 commits)
Reference and Optimized implementations of Rig, A simple, secure and flexible design for Password Hashing (2016). https://github.com/arpanj/Rig
A flexible implementation of Colin Percival’s scrypt (2016). https://github.com/floodyberry/scrypt-jane (58 commits)
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Chang, D., Jati, A., Mishra, S. et al. Cryptanalytic time–memory trade-off for password hashing schemes. Int. J. Inf. Secur. 18, 163–180 (2019). https://doi.org/10.1007/s10207-018-0405-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-018-0405-5