Abstract:
A cryptanalytic technique known as time-memory tradeoff (TMTO) was proposed by Hellman for finding the secret key of a block cipher. This technique allows sharing the effort of key search
between the two extremes of exhaustively enumerating all keys versus listing all possible ciphertext
mappings produced by a given plaintext (i.e. table lookups). The TMTO technique has also been used
as an effective cryptanalytic approach for password hashing schemes (PHS). Increasing threat of password leakage from compromised password hashes demands a resource consuming algorithm to prevent
the precomputation of the password hashes. A class of password hashing designs provide such a defense
against TMTO attack by ensuring that any reduction in the memory leads to exponential increase
in runtime. These are called Memory hard designs. However, it is generally difficult to evaluate the
“memory hardness” of a given PHS design.
In this work, we present a simple technique to analyze TMTO for any password hashing schemes which
can be represented as a directed acyclic graph (DAG). The nodes of the DAG correspond to the storage required by the algorithm and the edges correspond to the flow of the execution. Our proposed
technique provides expected run-times at varied levels of available storage for the DAG. Although our
technique is generic, we show its efficacy by applying it on three designs from the “Password Hashing
Competition” (PHC) - Argon2i (the PHC winner), Catena and Rig. Our analysis shows that Argon2i
fails to maintain the claimed memory hardness. In a recent work Corrigan-Gibbs et al. indeed showed an
attack highlighting the weak memory hardening of Argon2i. We also analyze these PHS for performance
under various settings of time and memory complexities.
