Skip to main content
Log in

Lyra: password-based key derivation with tunable memory and processing costs

Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

We present Lyra, a password-based key derivation scheme based on cryptographic sponges. Lyra was designed to be strictly sequential (i.e., not easily parallelizable), providing strong security even against attackers that use multiple processing cores (e.g., custom hardware or a powerful GPU). At the same time, it is very simple to implement in software and allows legitimate users to fine-tune its memory and processing costs according to the desired level of security against brute force password guessing. We compare Lyra with similar-purpose state-of-the-art solutions, showing how our proposal provides a higher security level and overcomes limitations of existing schemes. Specifically, we show that if we fix Lyra ’s total processing time \(t\) in a legitimate platform, the cost of a memory-free attack against the algorithm is exponential, while the best-known result in the literature (namely, against the scrypt algorithm) is quadratic. In addition, for an identical same processing time, Lyra allows for a higher memory usage than its counterparts, further increasing the cost of brute force attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

References

  1. Andreeva, E., Mennink, B., Preneel, B.: The Parazoa family: generalizing the Sponge hash functions. IACR Cryptol. ePrint Arch. 2011, 28 (2011)

    Google Scholar 

  2. Apple: iOS security. Tech. rep., Apple Inc. (2012). http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf

  3. Aumasson, J.P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New features of latin dances: Analysis of Salsa, ChaCha, and Rumba. In: Fast Software Encryption, vol. 5084, pp. 470–488. Springer, Berlin (2008). doi:10.1007/978-3-540-71039-4_30

  4. Aumasson, J.P., Guo, J., Knellwolf, S., Matusiewicz, K., Meier, W.: Differential and invertibility properties of BLAKE. In: Fast Software Encryption, pp. 318–332. Springer, New York (2010). http://eprint.iacr.org/2010/043.pdf

  5. Aumasson, J.P., Neves, S., Wilcox-OHearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. https://blake2.net/blake2_20130129.pdf (2013)

  6. Bellare, M., Ristenpart, T., Tessaro, S.: Multi-instance security and its application to password-based cryptography. In: Advances in Cryptology (CRYPTO 2012), LNCS, vol. 7417, pp. 312–329. Springer, Berlin (2012). doi:10.1007/978-3-642-32009-19

  7. Bernstein, D.: The Salsa20 family of stream ciphers. In: M. Robshaw, O. Billet (eds.) New Stream Cipher Designs, pp. 84–97. Springer, Berlin (2008). doi:10.1007/978-3-540-68351-3_8

  8. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Sponge functions (ECRYPT Hash Function Workshop 2007) (2007). http://csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html

  9. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Cryptographic sponge functions—version 0.1. http://keccak.noekeon.org/ (2011)

  10. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission. Submission to NIST (Round 3) (2011). http://keccak.noekeon.org/Keccak-submission-3.pdf

  11. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567 (2012). doi:10.1109/SP.2012.44

  12. Chakrabarti, S., Singbal, M.: Password-based authentication: preventing dictionary attacks. Computer 40(6), 68–74 (2007). doi:10.1109/MC.2007.216

    Article  Google Scholar 

  13. Chang, S.J., Perlner, R., Burr, W.E., Turan, M.S., Kelsey, J.M., Paul, S., Bassham, L.E.: Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition. US Department of Commerce, National Institute of Standards and Technology (2012). http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf

  14. Chung, E.S., Milder, P.A., Hoe, J.C., Mai, K.: Single-chip heterogeneous computing: Does the future include custom logic, FPGAs, and GPGPUs? In: Proc. of the 43rd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO’43, pp. 225–236. IEEE Computer Society, Washington, DC (2010). doi:10.1109/MICRO.2010.36

  15. Conklin, A., Dietrich, G., Walz, D.: Password-based authentication: a system perspective. In: Proc. of the 37th Annual Hawaii International Conference on System Sciences (HICSS’04), HICSS’04, vol. 7, pp. 170–179. IEEE Computer Society, Washington, DC (2004). http://dl.acm.org/citation.cfm?id=962755.963150

  16. Crew, B.: New carnivorous harp sponge discovered in deep sea. Nature (2012). doi:10.1038/nature.2012.11789. http://www.nature.com/news/new-carnivorous-harp-sponge-discovered-in-deep-sea-1.11789

  17. Daemen, J., Rijmen, V.: A new MAC construction alred and a specific instance alpha-mac. In: Fast Software Encryption—FSE’05, pp. 1–17 (2005). doi:10.1007/11502760_1

  18. Daemen, J., Rijmen, V.: Refinements of the alred construction and MAC security claims. Inf. Secur. IET 4(3), 149–157 (2010). doi:10.1049/iet-ifs. 2010.0015

    Article  Google Scholar 

  19. Dandass, Y.S.: Using FPGAs to parallelize dictionary attacks for password cracking. In: Proc. of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), pp. 485–485. IEEE (2008). doi:10.1109/HICSS.2008.484

  20. Dürmuth, M., Güneysu, T., Kasper, M.: Evaluation of standardized password-based key derivation against parallel processing platforms. In: Computer Security-ESORICS 2012, LNCS, vol. 7459, pp. 716–733. Springer, Berlin (2012). doi:10.1007/978-3-642-33167-1_41

  21. Florencio, D., Herley, C.: A large scale study of web password habits. Proc. of the 16th International Conference on World Wide Web. Alberta, pp. 657–666 (2007)

  22. Fowers, J., Brown, G., Cooke, P., Stitt, G.: A performance and energy comparison of FPGAs, GPUs, and multicores for sliding-window applications. In: Proceedings of the ACM/SIGDA Internbational Symposium on Field Programmable Gate Arrays (FPGA’12), pp. 47–56. ACM, New York (2012). doi:10.1145/2145694.2145704

  23. Halderman, J., Schoen, S., Heninger, N., Clarkson, W., Paul, W., Calandrino, J., Feldman, A., Appelbaum, J., Felten, E.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009). doi:10.1145/1506409.1506429

    Article  Google Scholar 

  24. Herley, C., van Oorschot, P., Patrick, A.: Passwords: If we’re so smart, why are we still using them? In: Financial Cryptography and Data Security, LNCS, vol. 5628, pp. 230–237. Springer, Berlin (2009). doi:10.1007/978-3-642-03549-4_14

  25. Kakarountas, A.P., Michail, H., Milidonis, A., Goutis, C.E., Theodoridis, G.: High-speed FPGA implementation of secure hash algorithm for IPSec and VPN applications. J. Supercomput. 37(2), 179–195 (2006). doi:10.1007/s11227-006-5682-5

    Article  Google Scholar 

  26. Kaliski, B.: PKCS#5: Password-based cryptography specification version 2.0 (RFC 2898) (2000). http://tools.ietf.org/html/rfc2898

  27. Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure applications of low-entropy keys. In: Proceedings of the 1st International Workshop on Information Security, ISW ’97, pp. 121–134. Springer, London (1998)

  28. Khronos Group: The OpenCL specification—version 1.2 (2012)

  29. Marechal, M.: Advances in password cracking. J. Comput. Virol. 4(1), 73–81 (2008). doi:10.1007/s11416-007-0064-y

    Article  Google Scholar 

  30. Ming, M., Qiang, H., Zeng, S.: Security analysis of BLAKE-32 based on differential properties. In: 2010 International Conference on Computational and Information Sciences (ICCIS), IEEE, pp. 783–786 (2010). http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5709204

  31. NIST: Federal Information Processing Standard (FIPS PUB 198)—the Keyed-Hash Message Authentication Code. National Institute of Standards and Technology, U.S. Department of Commerce (2002). http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf

  32. NIST: Special Publication 800-18—recommendation for key derivation using pseudorandom functions. National Institute of Standards and Technology, U.S. Department of Commerce (2009). http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf

  33. NIST: Special Publication 800-63-1—Electronic Authentication Guideline. National Institute of Standards and Technology, U.S. Department of Commerce (2011). http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf

  34. Nvidia: CUDA C programming guide. http://docs.nvidia.com/cuda/cuda-c-programming-guide/ (2012)

  35. Nvidia: Tesla Kepler family product overview. http://www.nvidia.com/content/tesla/pdf/Tesla-KSeries-Overview-LR.pdf (2012)

  36. Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCan 2009—The Technical BSD Conference (2009). http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf

  37. PHC: Password hashing competition. https://password-hashing.net/ (2013)

  38. Provos, N., Mazières, D.: A future-adaptable password scheme. In: Proceedings of the FREENIX track: 1999 USENIX Annual Technical Conference (1999)

  39. Schneier, B.: Description of a new variable-length key, 64-bit block cipher (Blowfish). Fast Software Encryption, pp. 191–204. Cambridge Security Workshop. Springer, London (1994)

  40. SciEngines: Rivyera s3-5000. http://sciengines.com/products/computers-and-clusters/rivyera-s3-5000.html

  41. SciEngines: Rivyera v7-2000t. http://sciengines.com/products/computers-and-clusters/v72000t.html

  42. Simplicio Jr, M.A., Barbuda, P., Barreto, P., Carvalho, T., Margi, C.: The marvin message authentication code and the lettersoup authenticated encryption scheme. Secur. Commun. Netw. 2, 165–180 (2009). doi:10.1002/sec.66

  43. Simplicio Jr, M.A., Barreto, P.S.L.M.: Revisiting the security of the alred design and two of its variants: Marvin and LetterSoup. IEEE Trans. Inf. Theory 58(9), 6223–6238 (2012). doi:10.1109/TIT.2012.2203093

    Article  MathSciNet  Google Scholar 

  44. Sprengers, M.: GPU-based password cracking: on the security of password hashing schemes regarding advances in graphics processing units. Master’s thesis, Radboud University Nijmegen (2011). http://www.ru.nl/publish/pages/578936/thesis.pdf

  45. TrendForce: DRAM contract price (jan.15 2013). http://www.trendforce.com/price (visited on Apr. 22, 2013) (2013)

  46. TrueCrypt: TrueCrypt: Free open-source on-the-fly encryption—documentation. http://www.truecrypt.org/docs/ (2012)

  47. Weir, M., Aggarwal, S., Medeiros, B.d., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP’09, pp. 391–405. IEEE Computer Society, Washington, DC (2009). doi:10.1109/SP.2009.8

  48. Yao, F., Yin, Y.: Design and analysis of password-based key derivation functions. IEEE Trans. Inf. Theory 51(9), 3292–3297 (2005). doi:10.1109/TIT.2005.853307

    Article  MathSciNet  Google Scholar 

  49. Yuill, J., Denning, D., Feer, F.: Using deception to hide things from hackers: processes, principles, and techniques. J. Inf. Warfare 5(3), 26–40 (2006)

    Google Scholar 

Download references

Acknowledgments

This work was supported by National Counsel of Technological and Scientific Development (CNPq) under grants 482342/2011-0, 473916/2013-4, under productivity research grant 303163/2009-7, as well as by the São Paulo Research Foundation (FAPESP) under grant 2011/21592-8.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Marcos A. Simplicio Jr.

Appendices

Appendix A: PBKDF2

The Password-Based Key Derivation Function version 2 (PBKDF2) algorithm [26] was originally proposed in 2000 as part of RSA Laboratories’ PKCS#5. It is nowadays present in several security tools, such as TrueCrypt [46] and Apple’s iOS for encrypting user passwords [2], and has been formally analyzed in several circumstances [6, 48].

figure c

Basically, PBKDF2 (see Algorithm 3) iteratively applies the underlying pseudorandom function \(Hash\) to the concatenation of \(pwd\) and a variable \(U_i\), i.e., it makes \(U_i = Hash(pwd, U_{i-1})\) for each iteration \(1 \leqslant i \leqslant {T}\). The initial value \(U_0\) corresponds to the concatenation of the user-provided \(salt\) and a variable \(l\), where \(l\) corresponds to the number of required output blocks. The \(l\)-th block of the \(k\)-long key is then computed as \(K_l = U_1 \, \oplus \,U_2 \, \oplus \,\cdots \, \oplus \,U_{{T}}\), where \(k\) is the desired key length.

PBKDF2 allows users to control its total running time by configuring the \({T}\) parameter. Since the key derivation process is strictly sequential (one cannot compute \(U_i\) without first obtaining \(U_{i-1}\)), its internal structure is not parallelizable. However, as the amount of memory used by PBKDF2 is quite small, the cost of implementing brute force attacks against it by means of multiple processing units remains reasonably low.

Appendix B: Bcrypt

Another solution that allows users to configure the key derivation’s processing time is bcrypt [38]. The scheme is based on a customized version of the 64-bit cipher algorithm Blowfish [39], called EksBlowflish (“expensive key schedule blowfish”).

figure d

Both algorithms use the same encryption process, differing only on how they compute their subkeys and S-boxes. Bcrypt consists in initializing EksBlowfish’s subkeys and S-Boxes with the salt and password, using the so-called EksBlowfishSetup function, and then using EksBlowfish for iteratively encrypting a constant string, 64 times.

EksBlowfishSetup starts by copying the first digits of the number \(\pi \) into the subkeys and S-boxes \(S_i\) (see Algorithm 4). Then, it updates the subkeys and S-boxes by invoking \(ExpandKey(salt, pwd)\), for a 128-bit salt value. Basically, this function (1) cyclically XORs the password with the current subkeys, and then (2) iteratively blowfish-encrypts one of the halves of the salt, with the resulting ciphertext being XORed with the salt’s other half and also replacing the next two subkeys (or S-Boxes, after all subkeys are replaced). After all subkeys and S-Boxes are updated, bcrypt alternately calls \(ExpandKey(0, salt)\) and then \(ExpandKey(0, pwd)\), for \(2^{T}\) iterations. The user-defined parameter \({T}\) determines, thus, the time spent on this subkey and S-Box updating process, effectively controlling the algorithm’s total processing time.

Like PBKDF2, bcrypt allows users to parameterize only its total running time. In addition to this shortcoming, some of its characteristics can be considered (small) disadvantages when compared with PBKDF2. First, bcrypt employs a dedicated structure (EksBlowfish) rather than a conventional hash function, leading to the need of implementing a whole new cryptographic primitive and, thus, raising the algorithm’s code size. Second, EksBlowfishSetup’s internal loop grows exponentially with the \({T}\) parameter, making it harder to fine-tune bcrypt’s total execution time without a linearly growing external loop. Finally, bcrypt displays the unusual (albeit minor) restriction of being unable to handle passwords having more than 56 bytes.

Appendix C: On the algorithm’s name

The name Lyra comes from Chondrocladia lyra, a recently discovered type of sponge [16]. While most sponges are harmless, this harp-like sponge is carnivorous, using its branches to ensnare its prey, envelope it in membrane and completely digest it.

Lyra ’s memory matrix displays some similarity with this species’ external aspect, and we expect it to be at least as much aggressive against adversaries trying to attack it.

figure e

Rights and permissions

Reprints and permissions

About this article

Cite this article

Almeida, L.C., Andrade, E.R., Barreto, P.S.L.M. et al. Lyra: password-based key derivation with tunable memory and processing costs. J Cryptogr Eng 4, 75–89 (2014). https://doi.org/10.1007/s13389-013-0063-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-013-0063-5

Keywords

Navigation