# Catena Variants

## Abstract

Catena is a password-scrambling framework characterized by its high flexibility. The user (defender) can simply adapt the underlying (cryptographic) primitives, the underlying memory-hard function, and the time (\(\lambda \)) and memory (garlic) parameters, to render it suitable for a wide range of applications. This enables Catena to maximize the defense against specific adversaries, their capabilities and goals, and to cope with a high variation of hardware and constraints on the side of the defender. Catena has obtained special recognition of the Password Hashing Competition (PHC), alongside of the winner Argon2.

In addition to the default instantiations presented in the PHC submission, we want to use this document to introduce further variants of Catena, or rather, further instantiations of the Catena framework. Our instantiations use different hash functions, and we evaluate their influence on the computational time and the throughput. Next, we discuss how instantiations of the memory-hard graph-based algorithm influence the computational time and resistance against low-memory attacks. Furthermore, we introduce possible extensions of Catena accommodating strong resistance against GPU- and ASIC-based adversaries, e.g., by providing sequential memory-hardness due to a data-dependent indexing function. At the end, we combine particular instantiations discussed so far to construct full-fledged variants of Catena for certain goals. Hence, this document can be seen as an additional guide to the PHC submission of Catena when considering its usage under certain restrictions.

## Keywords

Catena Instantiations Password hashing competition## Notes

### Acknowledgement

We would like to thank S. Schmidt and H. Schilling for their work on the reference implementation of Catena as well as on the tool Catena-Variants, E. List for his helpful comments and fruitful discussions, and H. Schilling for his analysis of the underlying graph-based structures. Furthermore, we would like to thank the reviewers of the Passwords 2015 for their helpful comments.

## Supplementary material

## References

- 1.Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, June 14–17, 2015, pp. 595–603 (2015)Google Scholar
- 2.Aumasson, J.-P.: Password Hashing Competition (2015). https://password-hashing.net/call.html. Accessed 3 September 2015
- 3.Aumasson, J.-P.: Password Hashing Competition - Candidates. https://password-hashing.net/candidates.html
- 4.Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013)CrossRefGoogle Scholar
- 5.Bernstein, D.J.: Cache-timing attacks on AES (2005)Google Scholar
- 6.Biryukov, A., Dinu, D., Khovratovich, D.: Argon2. Password Hashing Competition, Winner (2015). https://www.cryptolux.org/index.php/Argon2
- 7.Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of Catena. PHC mailing list: discussions@password-hashing.netGoogle Scholar
- 8.Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard functions. IACR Cryptol. ePrint Arch.
**2015**, 227 (2015)MathSciNetzbMATHGoogle Scholar - 9.Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, May 2012Google Scholar
- 10.Brent, R.P., Gaudry, P., Thomé, E., Zimmermann, P.: Faster Multiplication in GF(2) [x]. In: ANTS, pp. 153–166 (2008)Google Scholar
- 11.Cox, B.: TwoCats (and SkinnyCat): A Compute Time and Sequential Memory Hard Password Hashing Scheme (2014). https://password-hashing.net/submissions/specs/TwoCats-v0.pdf
- 12.Forler, C., List, E., Lucks, S., Wenzel, J.: Overview of the candidates for the password hashing competition - and their resistance against garbage-collector attacks. IACR Cryptol. ePrint Arch.
**2014**, 881 (2014)Google Scholar - 13.Forler, C., Lucks, S., Wenzel, J.: Catena: A Memory-Consuming Password Scrambler. Cryptology ePrint Archive, Report 2013/525 (2013). http://eprint.iacr.org/
- 14.Forler, Christian, Lucks, Stefan, Wenzel, Jakob: Memory-demanding password scrambling. In: Sarkar, Palash, Iwata, Tetsu (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 289–305. Springer, Heidelberg (2014)Google Scholar
- 15.Forler, C., Lucks, S., Wenzel, J.: The Catena Password-Scrambling Framework. Password Hashing Competition, 2nd round submission (2015). https://password-hashing.net/submissions/specs/Catena-v3.pdf
- 16.funkysash. catena-variants (2015). https://github.com/medsec/catena-variants
- 17.Gray, F.: Pulse Code Communication. Bell Telephone Labor Inc., New York (1953). US Patent 2,632,058,Google Scholar
- 18.Gueron, S., Kounavis, M.E.: Intel carry-less multiplication instruction and its usage for computing the GCM Mode - Rev 2.01. Intel White Paper. Technical report, Intel corporation, September 2012Google Scholar
- 19.Harris, B.: Replacement index function for data-independent schemes (Catena) (2015). http://article.gmane.org/gmane.comp.security.phc/2457/match=grey
- 20.HPSchilling. catena-variants (2015). https://github.com/HPSchilling/catena-variants
- 21.Kaliski, B.: RFC 2898 - PKCS #5: Password-Based cryptography specification Version 2.0. Technical report, IETF (2000)Google Scholar
- 22.Lengauer, T., Tarjan, R.E.: Asymptotically tight bounds on time-space trade-offs in a pebble game. J. ACM
**29**(4), 1087–1130 (1982)MathSciNetCrossRefzbMATHGoogle Scholar - 23.Lystad, T.A.: Leaked password lists and dictionaries - The Password Project. http://thepasswordproject.com/leaked_password_lists_and_dictionaries. Accessed 16 May 2013
- 24.McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 25.Percival, C.: Stronger Key Derivation via Sequential Memory-Hard Functions. presented at BSDCan 2009, May 2009Google Scholar
- 26.Peslyak, A.: yescrypt - a Password Hashing Competition submission (2015). https://password-hashing.net/submissions/specs/yescrypt-v1.pdf
- 27.Pornin, T.: The MAKWA Password Hashing Function (2015). https://password-hashing.net/submissions/specs/Makwa-v1.pdf
- 28.Provos, N., Mazières, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91. USENIX (1999)Google Scholar
- 29.Shand, M., Bertin, P., Vuillemin, J.: Hardware speedups in long integer multiplication. In: SPAA, pp. 138–145 (1990)Google Scholar
- 30.Simplicio, M., Almeida, L., dos Santos, P., Barreto, P.: The Lyra2 reference guide. Password Hashing Competition, 2nd round submission (2015). https://password-hashing.net/submissions/specs/Lyra2-v2.pdf
- 31.Soderquist, P., Leeser, M.: An area/performance comparison of subtractive and multiplicative divide/square root implementations. In: 12th Symposium on Computer Arithmetic ARITH-12 1995, July 19–21, 1995, Bath, England, UK, pp. 132–139 (1995)Google Scholar
- 32.Cox, B.: MultHash - A simple multiplication speed limited hash function (2014). https://github.com/medsec/catena/blob/3a3ce823d4c54f2da33757bf8f6389488c31bd93/src/catena-multhash.c. (waywardgeek)