dc.description.abstract |
Increasing threat of password leakage from compromised password hashes demands a resource consuming password-hashing
algorithm to prevent the precomputation of the password hashes. A class of password-hashing schemes (PHS) provides such
a defense by making the design Memory hard. This ensures that any reduction in the memory consumed by the algorithm
leads to an exponential increase in its runtime. The security offered by a memory-hard PHS design is measured in terms of
its time–memory trade-off (TMTO) defense. Another important measure for a good PHS is its efficiency in utilizing all the
available memory as quickly as possible, and fast running time when more than the required memory is available. In this work,
we present a simple technique to analyze TMTO for a password-hashing scheme which can be represented as a directed acyclic
graph (DAG). The nodes of the DAG correspond to the storage required by the algorithm and the edges correspond to the flow
of the execution. Our proposed technique provides expected runtimes at varied levels of available storage utilizing the DAG
representation of the algorithm. We show the effectiveness of our proposed technique by applying it on three designs from the
“Password Hashing Competition" (PHC)—Argon2-Version 1.2.1 (the PHC winner), Catena-Version 3.2 and Rig-Version 2.
Our analysis shows that Argon2i is not providing expected memory hardness which is also highlighted in a recent work
by Corrigan-Gibbs et al. We analyze these PHS for performance under various settings of time and memory complexities.
Our experimental results show (i) simple DAGs for PHS are efficient but not memory hard, (ii) complex DAGs for PHS are
memory hard but less efficient, and (iii) combination of two simple graphs in the representation of a DAG for PHS achieves
both memory hardness and efficiency |
en_US |