Completed
Lyra2 (Simplicio Jr, Almeida, Andrade, dos Santos, Barrato) uses BLAKE2b (permut) in a duplex sponge • 2-dimensional memory parameter "basil" personalization string thorough security analysis
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
The Candidates for Password Hashing Competition - JP Aumasson
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 submissions requirements specs, reference code, test vectors salt, time and memory parameters IP statement: no patent, royalty-free
- 3 Antcrypt (Duermuth, Zimmerman) uses SHA-512 • floating-point arithmetic (pros and cons) separation crypto- and compute-hardness clear and well-motivated design
- 4 Argon (Biryukov, Khovratovich) • uses AES-128 (thus Nis on defenders' CPUs) • up to 32x parallelism, optional secret key
- 5 battcrypt (Thomas) Blowfish All The Things, and SHA-512 • suited for PHP (has a native Blowfish)
- 6 Catena (Forler, Lucks, Wenzel) • uses BLAKE2b (thus SIMD on defenders' CPUs) • graph-based structure, optional secret key
- 7 Centrifuge (Alvarez) uses AES-256-CFB and SHA-512 • benefits of AES-NI on defenders' CPUs • password- and salt-dependent "S-box" RC4-like byte pseudorandom byte swap
- 8 Gambit (Pinter) uses Keccak[1600] (sponge function) • optional local ROM table customizable word-to-word transform
- 9 Lanarea (Mubarak) uses BLAKE2b "heavily serial operations" (no //ism) "nonuniform section timings" (no pipelining) supports hash upgrade
- 10 Lyra2 (Simplicio Jr, Almeida, Andrade, dos Santos, Barrato) uses BLAKE2b (permut) in a duplex sponge • 2-dimensional memory parameter "basil" personalization string thorough security analysis
- 11 uses bignum arithmetic (modular squarings) • uses HMAC_DRBG supports delegation to untrusted systems supports password escrow, hash upgrade
- 12 Omega Crypt (Enright) uses ChaCha and CubeHash (SIMD-friendly) data-dependent branchings... ... yet timing attack mitigation
- 13 uses SHA-512 2-dimension time cost: sequential & parallel • constant (low) memory • minimalistic and compact design
- 14 PolyPassHash (Cappos, Arias) uses AES, SHA-256, SSS • threshold of pwds needed to unlock the DB • only appropriate when many users
- 15 POMELO (Wu) no external primitive (fully original algorithm) • simple FSR-like update functions partial mitigation of cache-timing attacks compact self-contained implementations
- 16 Pufferfish (Gosney) uses Blowfish, HMAC-SHA-512 • tweaked Blowfish (pwd-dependent S-boxes, etc.) a modern bcrypt (64-bit, variable memory) • JTR patches available
- 17 RIG (Chang, Jati, Mishra, Sanadhya) uses BLAKE2b • bit-reversal permutation mitigation of cache-timing leaks supports server relief and hash upgrade
- 18 Tortuga (Sch) uses Turtle (Blaze, 1996) as permutation keyed sponge structure (absorb/squeeze) original and simple construction
- 19 Yarn (Capun) • uses AES round and BLAKE2b • parallelism parameterizable 3 "time" parameters for distinct resources simple and compact design
- 20 yescrypt (Peslyak a.k.a. Solar Designer) uses scrypt with optional tweaks (via bit flags) • optional: local ROM, Salsa20 replacement more parallelism options (thread and inst. level) • supports serve…
- 21 evaluation criteria security (pseudorandomness, etc.) efficiency ratio (e.g. CPU vs GPU) simplicity (#LOCs, dependencies, etc.) extra functionalities target application etc.
- 22 we need reviews of the implementations third-party implementations (to check consistency with the specs, etc.) cryptanalysis (memory bypass, side-channel attacks, etc.) any comment or suggestion to i…