Memory-Demanding Password Scrambling

Most of the common password scramblers hinder password-guessing attacks by “key stretching”, e.g., by iterating a cryptographic hash function many times. With the increasing availability of cheap and massively parallel off-the-shelf hardware, iterating a hash function becomes less and less useful. To defend against attacks based on such hardware, one can exploit their limitations regarding to the amount of fast memory for each single core. The first password scrambler taking this into account was scrypt. In this paper we mount a cache-timing attack on scrypt by exploiting its password-dependent memory-access pattern. Furthermore, we show that it is possible to apply an efficient password filter for scrypt based on a malicious garbage collector. As a remedy, we present a novel password scrambler called Catena which provides both a password-independent memory-access pattern and resistance against garbage-collector attacks. Furthermore, Catena instantiated with the here introduced (G,λ)-DBH operation satisfies a certain time-memory tradeoff called λ-memory-hardness, i.e., using only 1/b the amount of memory, the time necessary to compute the password hash is increased by a factor of b λ . Finally, we introduce a more efficient instantiation of Catena based on a bit-reversal graph.

[1]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[3]  Stefan Dziembowski,et al.  Key-Evolution Schemes Resilient to Space-Bounded Leakage , 2011, CRYPTO.

[4]  Martin Tompa Time-Space Tradeoffs for Computing Functions, Using Connectivity Properties of Their Circuits , 1980, J. Comput. Syst. Sci..

[5]  Robert E. Tarjan,et al.  Asymptotically tight bounds on time-space trade-offs in a pebble game , 1982, JACM.

[6]  Elisabeth Oswald,et al.  A Comprehensive Evaluation of Mutual Information Analysis Using a Fair Evaluation Framework , 2011, CRYPTO.

[7]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[8]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[9]  John E. Savage,et al.  Space-time tradeoffs for linear recursion , 2005, Mathematical systems theory.

[10]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[11]  John E. Savage,et al.  Space-Time Tradeoffs for Oblivious Interger Multiplications , 1979, ICALP.

[12]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[13]  William F. Bradley,et al.  Superconcentration on a Pair of Butterflies , 2014, ArXiv.

[14]  Ravi Sethi,et al.  Complete register allocation problems , 1973, SIAM J. Comput..

[15]  Carl Hewitt,et al.  Comparative Schematology , 1970 .

[16]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[17]  John E. Savage,et al.  Space-time trade-offs on the FFT algorithm , 1978, IEEE Trans. Inf. Theory.

[18]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.