Explore the candidates for Password Hashing Competition (PHC) in this conference talk by JP Aumasson. Dive into the details of various password hashing algorithms, including Antcrypt, Argon, battcrypt, Catena, Centrifuge, Gambit, Lanarea, Lyra2, Omega Crypt, PolyPassHash, POMELO, Pufferfish, RIG, Tortuga, Yarn, and yescrypt. Learn about their unique features, cryptographic primitives used, memory and time parameters, and security considerations. Gain insights into the evaluation criteria for these algorithms, including security, efficiency ratio, simplicity, and extra functionalities. Understand the importance of third-party implementations and cryptanalysis in assessing the strength of these password hashing solutions.
Overview
Syllabus
Intro
submissions requirements specs, reference code, test vectors salt, time and memory parameters IP statement: no patent, royalty-free
Antcrypt (Duermuth, Zimmerman) uses SHA-512 • floating-point arithmetic (pros and cons) separation crypto- and compute-hardness clear and well-motivated design
Argon (Biryukov, Khovratovich) • uses AES-128 (thus Nis on defenders' CPUs) • up to 32x parallelism, optional secret key
battcrypt (Thomas) Blowfish All The Things, and SHA-512 • suited for PHP (has a native Blowfish)
Catena (Forler, Lucks, Wenzel) • uses BLAKE2b (thus SIMD on defenders' CPUs) • graph-based structure, optional secret key
Centrifuge (Alvarez) uses AES-256-CFB and SHA-512 • benefits of AES-NI on defenders' CPUs • password- and salt-dependent "S-box" RC4-like byte pseudorandom byte swap
Gambit (Pinter) uses Keccak[1600] (sponge function) • optional local ROM table customizable word-to-word transform
Lanarea (Mubarak) uses BLAKE2b "heavily serial operations" (no //ism) "nonuniform section timings" (no pipelining) supports hash upgrade
Lyra2 (Simplicio Jr, Almeida, Andrade, dos Santos, Barrato) uses BLAKE2b (permut) in a duplex sponge • 2-dimensional memory parameter "basil" personalization string thorough security analysis
uses bignum arithmetic (modular squarings) • uses HMAC_DRBG supports delegation to untrusted systems supports password escrow, hash upgrade
Omega Crypt (Enright) uses ChaCha and CubeHash (SIMD-friendly) data-dependent branchings... ... yet timing attack mitigation
uses SHA-512 2-dimension time cost: sequential & parallel • constant (low) memory • minimalistic and compact design
PolyPassHash (Cappos, Arias) uses AES, SHA-256, SSS • threshold of pwds needed to unlock the DB • only appropriate when many users
POMELO (Wu) no external primitive (fully original algorithm) • simple FSR-like update functions partial mitigation of cache-timing attacks compact self-contained implementations
Pufferfish (Gosney) uses Blowfish, HMAC-SHA-512 • tweaked Blowfish (pwd-dependent S-boxes, etc.) a modern bcrypt (64-bit, variable memory) • JTR patches available
RIG (Chang, Jati, Mishra, Sanadhya) uses BLAKE2b • bit-reversal permutation mitigation of cache-timing leaks supports server relief and hash upgrade
Tortuga (Sch) uses Turtle (Blaze, 1996) as permutation keyed sponge structure (absorb/squeeze) original and simple construction
Yarn (Capun) • uses AES round and BLAKE2b • parallelism parameterizable 3 "time" parameters for distinct resources simple and compact design
yescrypt (Peslyak a.k.a. Solar Designer) uses scrypt with optional tweaks (via bit flags) • optional: local ROM, Salsa20 replacement more parallelism options (thread and inst. level) • supports server relief
evaluation criteria security (pseudorandomness, etc.) efficiency ratio (e.g. CPU vs GPU) simplicity (#LOCs, dependencies, etc.) extra functionalities target application etc.
we need reviews of the implementations third-party implementations (to check consistency with the specs, etc.) cryptanalysis (memory bypass, side-channel attacks, etc.) any comment or suggestion to improve
