Catena : A Memory-Consuming Password-Scrambling Framework

It is a common wisdom that servers should store the one-way hash of their clients’ passwords, rather than storing the password in the clear. In this paper we introduce a set of functional properties a key-derivation function (password scrambler) should have. Unfortunately, none of the existing algorithms satisfies our requirements and therefore, we introduce a novel and provably secure password scrambling framework (PSF) called Catena. Furthermore, we introduce two instantiations of Catena based on a memory-consuming one-way functions. Thus, Catena excellently thwarts massively parallel attacks on cheap memory-constrained hardware, such as recent graphical processing units (GPUs). Additionally, we show that Catena is also a good key-derivation function, since – in the random oracle model – it is indistinguishable from a random function. Furthermore, the memory-access pattern of both instantiations is password-independent and therefore, Catena provides resistance against cache-timing attacks. Moreover, Catena is the first PSF which naturally supports (1) client-independent updates (the server can increase the security parameters and update the password hash without user interaction or knowing the password), (2) an optional server relief protocol (saving the server’s resources at the cost of the client), and (3) a variant Catena-KG for secure key derivation (to securely generate many cryptographic keys of arbitrary lengths such that compromising some keys does not help to break others). We denote a password scrambler as a PSF with a certain instantiation.

[1]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[2]  Carl Hewitt,et al.  Comparative Schematology , 1970 .

[3]  Stephen A. Cook,et al.  An observation on time-storage trade off , 1973, J. Comput. Syst. Sci..

[4]  Ravi Sethi Complete Register Allocation Problems , 1975, SIAM J. Comput..

[5]  Leslie G. Valiant,et al.  On Time Versus Space , 1977, JACM.

[6]  Robert E. Tarjan,et al.  Time-Space Trade-Offs in a Pebble Game , 1977, ICALP.

[7]  Martin Tompa,et al.  Time-space tradeoffs for computing functions, using connectivity properties of their circuits , 1978, J. Comput. Syst. Sci..

[8]  Andrzej Lingas A PSPACE Complete Problem Related to a Pebble Game , 1978, ICALP.

[9]  John E. Savage,et al.  Space-time trade-offs on the FFT algorithm , 1978, IEEE Trans. Inf. Theory.

[10]  John E. Savage,et al.  Space-Time Tradeoffs for Oblivious Interger Multiplications , 1979, ICALP.

[11]  John E. Savage,et al.  Space-time tradeoffs for linear recursion , 1979, POPL '79.

[12]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[13]  G. Fry Standards and technology. , 1979, Journal of the American Optometric Association.

[14]  Shigeki Iwata,et al.  Classes of Pebble Games and Complete Problems , 1979, SIAM J. Comput..

[15]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[16]  Robert E. Tarjan,et al.  Asymptotically tight bounds on time-space trade-offs in a pebble game , 1982, JACM.

[17]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[19]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[20]  Bruce Schneier,et al.  Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) , 1993, FSE.

[21]  Udi Manber,et al.  A simple scheme to make passwords based on one-way functions much harder to crack , 1996, Comput. Secur..

[22]  Bruce Schneier,et al.  Secure Applications of Low-Entropy Keys , 1997, ISW.

[23]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[24]  G.E. Moore,et al.  Cramming More Components Onto Integrated Circuits , 1998, Proceedings of the IEEE.

[25]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[26]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[27]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[28]  Robert E. Tarjan,et al.  Time-space trade-offs in a pebble game , 1977, JACM.

[29]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[30]  Moni Naor,et al.  Pebbling and Proofs of Work , 2005, CRYPTO.

[31]  Xavier Boyen,et al.  Halting Password Puzzles: Hard-to-break Encryption from Human-memorable Keys , 2007, USENIX Security Symposium.

[32]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[33]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[34]  Huaxiong Wang,et al.  Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[35]  Alexey Melnikov,et al.  Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms , 2010, RFC.

[36]  William E. Burr,et al.  Recommendation for Password-Based Key Derivation Part 1: Storage Applications , 2010 .

[37]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[38]  Stefan Dziembowski,et al.  Key-Evolution Schemes Resilient to Space-Bounded Leakage , 2011, CRYPTO.

[39]  Stefan Dziembowski,et al.  Proofs of Space , 2015, CRYPTO.

[40]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[41]  Giuseppe Ateniese,et al.  Proofs of Space: When Space Is of the Essence , 2014, SCN.

[42]  William F. Bradley,et al.  Superconcentration on a Pair of Butterflies , 2014, ArXiv.

[43]  John Tromp,et al.  Cuckoo Cycle: a memory-hard proof-of-work system , 2014, IACR Cryptol. ePrint Arch..

[44]  Sebastian Fischer,et al.  Time Sharing Computer Systems , 2016 .