International Journal of Information Security

, Volume 18, Issue 2, pp 163–180 | Cite as

Cryptanalytic time–memory trade-off for password hashing schemes

  • Donghoon Chang
  • Arpan Jati
  • Sweta MishraEmail author
  • Somitra Kumar Sanadhya
Regular Contribution


Increasing threat of password leakage from compromised password hashes demands a resource consuming password-hashing algorithm to prevent the precomputation of the password hashes. A class of password-hashing schemes (PHS) provides such a defense by making the design Memory hard. This ensures that any reduction in the memory consumed by the algorithm leads to an exponential increase in its runtime. The security offered by a memory-hard PHS design is measured in terms of its time–memory trade-off (TMTO) defense. Another important measure for a good PHS is its efficiency in utilizing all the available memory as quickly as possible, and fast running time when more than the required memory is available. In this work, we present a simple technique to analyze TMTO for a password-hashing scheme which can be represented as a directed acyclic graph (DAG). The nodes of the DAG correspond to the storage required by the algorithm and the edges correspond to the flow of the execution. Our proposed technique provides expected runtimes at varied levels of available storage utilizing the DAG representation of the algorithm. We show the effectiveness of our proposed technique by applying it on three designs from the “Password Hashing Competition" (PHC)—Argon2-Version 1.2.1 (the PHC winner), Catena-Version 3.2 and Rig-Version 2. Our analysis shows that Argon2i is not providing expected memory hardness which is also highlighted in a recent work by Corrigan-Gibbs et al. We analyze these PHS for performance under various settings of time and memory complexities. Our experimental results show (i) simple DAGs for PHS are efficient but not memory hard, (ii) complex DAGs for PHS are memory hard but less efficient, and (iii) combination of two simple graphs in the representation of a DAG for PHS achieves both memory hardness and efficiency.


Time–memory trade-off Password Hashing Memory hard Graph traversal Bit-reversal graph Double butterfly graph 

Supplementary material

10207_2018_405_MOESM1_ESM.pdf (199 kb)
Supplementary material 1 (pdf 199 KB)
10207_2018_405_MOESM2_ESM.pdf (263 kb)
Supplementary material 2 (pdf 262 KB)


  1. 1.
    Saltzer, J.H.: Protection and the control of information sharing in MULTICS. In: Schorr, H., Perlis, A.J., Weiner, P., Frazer, W.D. (eds.) Proceedings of the Fourth Symposium on Operating System Principles, SOSP 1973, Thomas J. Watson, Research Center, Yorktown Heights, New York, USA, October 15–17, 1973. ACM (1973)Google Scholar
  2. 2.
    Morris, R. and Thomson, K., Password security: A case history, Communications of the ACM, 22 (1979), pp. 594–597.
  3. 3.
    Password Hashing Competition (PHC) (2014).
  4. 4.
    Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCon (2009).
  5. 5.
    Forler, C., Lucks, S., Wenzel, J.: Catena: a memory-consuming password scrambler. IACR Cryptol. ePrint Arch. 2013, 525 (2013)Google Scholar
  6. 6.
    Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications . Submission to Password Hashing Competition (PHC) (2015).
  7. 7.
    Forler, C., Lucks, S., Wenzel, J.: The Catena Password-Scrambling Framework. Submission to PHC (2015).
  8. 8.
    Chang, D., Jati, A., Mishra, S., Sanadhya, S.K.: Rig: a simple, secure and flexible design for password hashing. In: Lin, D., Yung, M., Zhou, J. (eds.) Information Security and Cryptology—10th International Conference, Inscrypt 2014, Beijing, China, December 13–15, 2014, Revised Selected Papers, Lecture Notes in Computer Science, vol. 8957. Springer, pp. 361–381 (2014)Google Scholar
  9. 9.
    Hellman, Martin E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, Lecture Notes in Computer Science, vol. 2729. Springer, pp. 617–630 (2003)Google Scholar
  11. 11.
    Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard functions. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part II, Lecture Notes in Computer Science, vol. 9453. Springer, pp. 633–657 (2015)Google Scholar
  12. 12.
    Corrigan-Gibbs, H., Boneh, D., Schechter, S.E.: Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns. IACR Cryptol. ePrint Arch. 2016, 27 (2016)Google Scholar
  13. 13.
    Aumasson, J., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. IACR Cryptol. ePrint Arch. 2013, 322 (2013)zbMATHGoogle Scholar
  14. 14.
    Biryukov, A., Dinu, D., Khovratovich, D.: Argon2 for password hashing and cryptocurrencies (2016).
  15. 15.
    Bradley, W.F.: Superconcentration on a pair of butterflies (2014). arXiv preprint arXiv:1401.7263
  16. 16.
    Lengauer, T., Tarjan, R.E.: Upper and lower bounds on time-space tradeoffs. In: Fischer, M.J., DeMillo, R.A., Lynch, N.A., Burkhard, W.A., Aho, A.V. (eds.) Proceedings of the 11th Annual ACM Symposium on Theory of Computing, April 30–May 2, 1979, Atlanta, Georgia, USA. ACM, pp. 262–277 (1979)Google Scholar
  17. 17.
    Aumasson, J.P., Neves S., Wilcox-O’Hearn Z., Winnerlein C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: Jacobson M., Locasto M., Mohassel P., Safavi-Naini R. (eds) Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science, vol 7954, pp. 119–135. Springer, Berlin (2013)Google Scholar
  18. 18.
    Cooley, James W., Tukey, John W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19(90), 297–301 (1965)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Biryukov, A., Dinu, D., Khovratovich, D., Josefsson, S.: The memory-hard Argon2 password hash and proof-of-work function. IRTF Crypto Forum Research Group Active Internet-Draft (cfrg RG): draft-irtf-cfrg-argon2-00 (2016).
  20. 20.
    Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications, Version 1.3 (2016).
  21. 21.
    Memory-hard scheme Argon2 (2016). (162 commits)
  22. 22.
    Reference Implementation of Catena, a memory-consuming password scrambler (2015). (75 commits)
  23. 23.
    Reference and Optimized implementations of Rig, A simple, secure and flexible design for Password Hashing (2016).
  24. 24.
    A flexible implementation of Colin Percival’s scrypt (2016). (58 commits)

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Indraprashtha Institute of Information Technology, Delhi (IIIT-Delhi)DelhiIndia
  2. 2.Indian Institute of Technology, Ropar (IIT-Ropar)RoparIndia

Personalised recommendations