Overview
Syllabus
Intro
submissions requirements specs, reference code, test vectors salt, time and memory parameters IP statement: no patent, royalty-free
Antcrypt (Duermuth, Zimmerman) uses SHA-512 • floating-point arithmetic (pros and cons) separation crypto- and compute-hardness clear and well-motivated design
Argon (Biryukov, Khovratovich) • uses AES-128 (thus Nis on defenders' CPUs) • up to 32x parallelism, optional secret key
battcrypt (Thomas) Blowfish All The Things, and SHA-512 • suited for PHP (has a native Blowfish)
Catena (Forler, Lucks, Wenzel) • uses BLAKE2b (thus SIMD on defenders' CPUs) • graph-based structure, optional secret key
Centrifuge (Alvarez) uses AES-256-CFB and SHA-512 • benefits of AES-NI on defenders' CPUs • password- and salt-dependent "S-box" RC4-like byte pseudorandom byte swap
Gambit (Pinter) uses Keccak[1600] (sponge function) • optional local ROM table customizable word-to-word transform
Lanarea (Mubarak) uses BLAKE2b "heavily serial operations" (no //ism) "nonuniform section timings" (no pipelining) supports hash upgrade
Lyra2 (Simplicio Jr, Almeida, Andrade, dos Santos, Barrato) uses BLAKE2b (permut) in a duplex sponge • 2-dimensional memory parameter "basil" personalization string thorough security analysis
uses bignum arithmetic (modular squarings) • uses HMAC_DRBG supports delegation to untrusted systems supports password escrow, hash upgrade
Omega Crypt (Enright) uses ChaCha and CubeHash (SIMD-friendly) data-dependent branchings... ... yet timing attack mitigation
uses SHA-512 2-dimension time cost: sequential & parallel • constant (low) memory • minimalistic and compact design
PolyPassHash (Cappos, Arias) uses AES, SHA-256, SSS • threshold of pwds needed to unlock the DB • only appropriate when many users
POMELO (Wu) no external primitive (fully original algorithm) • simple FSR-like update functions partial mitigation of cache-timing attacks compact self-contained implementations
Pufferfish (Gosney) uses Blowfish, HMAC-SHA-512 • tweaked Blowfish (pwd-dependent S-boxes, etc.) a modern bcrypt (64-bit, variable memory) • JTR patches available
RIG (Chang, Jati, Mishra, Sanadhya) uses BLAKE2b • bit-reversal permutation mitigation of cache-timing leaks supports server relief and hash upgrade
Tortuga (Sch) uses Turtle (Blaze, 1996) as permutation keyed sponge structure (absorb/squeeze) original and simple construction
Yarn (Capun) • uses AES round and BLAKE2b • parallelism parameterizable 3 "time" parameters for distinct resources simple and compact design
yescrypt (Peslyak a.k.a. Solar Designer) uses scrypt with optional tweaks (via bit flags) • optional: local ROM, Salsa20 replacement more parallelism options (thread and inst. level) • supports server relief
evaluation criteria security (pseudorandomness, etc.) efficiency ratio (e.g. CPU vs GPU) simplicity (#LOCs, dependencies, etc.) extra functionalities target application etc.
we need reviews of the implementations third-party implementations (to check consistency with the specs, etc.) cryptanalysis (memory bypass, side-channel attacks, etc.) any comment or suggestion to improve