Cryptanalytic time–memory trade-off for password hashing schemes

Increasing threat of password leakage from compromised password hashes demands a resource consuming password-hashing algorithm to prevent the precomputation of the password hashes. A class of password-hashing schemes (PHS) provides such a defense by making the design Memory hard. This ensures that any reduction in the memory consumed by the algorithm leads to an exponential increase in its runtime. The security offered by a memory-hard PHS design is measured in terms of its time–memory trade-off (TMTO) defense. Another important measure for a good PHS is its efficiency in utilizing all the available memory as quickly as possible, and fast running time when more than the required memory is available. In this work, we present a simple technique to analyze TMTO for a password-hashing scheme which can be represented as a directed acyclic graph (DAG). The nodes of the DAG correspond to the storage required by the algorithm and the edges correspond to the flow of the execution. Our proposed technique provides expected runtimes at varied levels of available storage utilizing the DAG representation of the algorithm. We show the effectiveness of our proposed technique by applying it on three designs from the “Password Hashing Competition" (PHC)—Argon2-Version 1.2.1 (the PHC winner), Catena-Version 3.2 and Rig-Version 2. Our analysis shows that Argon2i is not providing expected memory hardness which is also highlighted in a recent work by Corrigan-Gibbs et al. We analyze these PHS for performance under various settings of time and memory complexities. Our experimental results show (i) simple DAGs for PHS are efficient but not memory hard, (ii) complex DAGs for PHS are memory hard but less efficient, and (iii) combination of two simple graphs in the representation of a DAG for PHS achieves both memory hardness and efficiency.

[1]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[2]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[3]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[4]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[5]  Dan Boneh,et al.  Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns , 2016, IACR Cryptol. ePrint Arch..

[6]  Stefan Lucks,et al.  The Catena Password-Scrambling Framework , 2015 .

[7]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[8]  Jean-Philippe Aumasson,et al.  BLAKE 2 : simpler , smaller , fast as MD 5 , 2012 .

[9]  Robert E. Tarjan,et al.  Upper and lower bounds on time-space tradeoffs , 1979, STOC '79.

[10]  Donghoon Chang,et al.  Rig: A simple, secure and flexible design for Password Hashing , 2015, IACR Cryptol. ePrint Arch..

[11]  Alex Biryukov,et al.  The memory-hard Argon2 password hash and proof-of-work function , 2020 .

[12]  William F. Bradley,et al.  Superconcentration on a Pair of Butterflies , 2014, ArXiv.

[13]  Alex Biryukov,et al.  Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[14]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[15]  Alex Biryukov,et al.  Tradeoff Cryptanalysis of Memory-Hard Functions , 2015, ASIACRYPT.

[16]  Alex Biryukov,et al.  Argon 2 : the memory-hard function for password hashing and other applications , 2015 .

[17]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[18]  Stefan Lucks,et al.  Catena: A Memory-Consuming Password Scrambler , 2013, IACR Cryptol. ePrint Arch..

[19]  Jerome H. Saltzer,et al.  Protection and control of information sharing in multics , 1973, SOSP '73.