Journal of Cryptographic Engineering

, Volume 4, Issue 2, pp 75–89

Lyra: password-based key derivation with tunable memory and processing costs


  • Leonardo C. Almeida
    • Escola Politécnica, Universidade de São Paulo (Poli-USP)
  • Ewerton R. Andrade
    • Escola Politécnica, Universidade de São Paulo (Poli-USP)
  • Paulo S. L. M. Barreto
    • Escola Politécnica, Universidade de São Paulo (Poli-USP)
    • Escola Politécnica, Universidade de São Paulo (Poli-USP)
Regular Paper

DOI: 10.1007/s13389-013-0063-5

Cite this article as:
Almeida, L.C., Andrade, E.R., Barreto, P.S.L.M. et al. J Cryptogr Eng (2014) 4: 75. doi:10.1007/s13389-013-0063-5


We present Lyra, a password-based key derivation scheme based on cryptographic sponges. Lyra was designed to be strictly sequential (i.e., not easily parallelizable), providing strong security even against attackers that use multiple processing cores (e.g., custom hardware or a powerful GPU). At the same time, it is very simple to implement in software and allows legitimate users to fine-tune its memory and processing costs according to the desired level of security against brute force password guessing. We compare Lyra with similar-purpose state-of-the-art solutions, showing how our proposal provides a higher security level and overcomes limitations of existing schemes. Specifically, we show that if we fix Lyra ’s total processing time \(t\) in a legitimate platform, the cost of a memory-free attack against the algorithm is exponential, while the best-known result in the literature (namely, against the scrypt algorithm) is quadratic. In addition, for an identical same processing time, Lyra allows for a higher memory usage than its counterparts, further increasing the cost of brute force attacks.


Password-based key derivationMemory usageCryptographic sponges

Copyright information

© Springer-Verlag Berlin Heidelberg 2014