Journal of Cryptographic Engineering

, Volume 4, Issue 2, pp 75–89 | Cite as

Lyra: password-based key derivation with tunable memory and processing costs

  • Leonardo C. Almeida
  • Ewerton R. Andrade
  • Paulo S. L. M. Barreto
  • Marcos A. SimplicioJrEmail author
Regular Paper


We present Lyra, a password-based key derivation scheme based on cryptographic sponges. Lyra was designed to be strictly sequential (i.e., not easily parallelizable), providing strong security even against attackers that use multiple processing cores (e.g., custom hardware or a powerful GPU). At the same time, it is very simple to implement in software and allows legitimate users to fine-tune its memory and processing costs according to the desired level of security against brute force password guessing. We compare Lyra with similar-purpose state-of-the-art solutions, showing how our proposal provides a higher security level and overcomes limitations of existing schemes. Specifically, we show that if we fix Lyra ’s total processing time \(t\) in a legitimate platform, the cost of a memory-free attack against the algorithm is exponential, while the best-known result in the literature (namely, against the scrypt algorithm) is quadratic. In addition, for an identical same processing time, Lyra allows for a higher memory usage than its counterparts, further increasing the cost of brute force attacks.


Password-based key derivation Memory usage Cryptographic sponges 



This work was supported by National Counsel of Technological and Scientific Development (CNPq) under grants 482342/2011-0, 473916/2013-4, under productivity research grant 303163/2009-7, as well as by the São Paulo Research Foundation (FAPESP) under grant 2011/21592-8.


  1. 1.
    Andreeva, E., Mennink, B., Preneel, B.: The Parazoa family: generalizing the Sponge hash functions. IACR Cryptol. ePrint Arch. 2011, 28 (2011)Google Scholar
  2. 2.
    Apple: iOS security. Tech. rep., Apple Inc. (2012).
  3. 3.
    Aumasson, J.P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New features of latin dances: Analysis of Salsa, ChaCha, and Rumba. In: Fast Software Encryption, vol. 5084, pp. 470–488. Springer, Berlin (2008). doi: 10.1007/978-3-540-71039-4_30
  4. 4.
    Aumasson, J.P., Guo, J., Knellwolf, S., Matusiewicz, K., Meier, W.: Differential and invertibility properties of BLAKE. In: Fast Software Encryption, pp. 318–332. Springer, New York (2010).
  5. 5.
    Aumasson, J.P., Neves, S., Wilcox-OHearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. (2013)
  6. 6.
    Bellare, M., Ristenpart, T., Tessaro, S.: Multi-instance security and its application to password-based cryptography. In: Advances in Cryptology (CRYPTO 2012), LNCS, vol. 7417, pp. 312–329. Springer, Berlin (2012). doi: 10.1007/978-3-642-32009-19
  7. 7.
    Bernstein, D.: The Salsa20 family of stream ciphers. In: M. Robshaw, O. Billet (eds.) New Stream Cipher Designs, pp. 84–97. Springer, Berlin (2008). doi: 10.1007/978-3-540-68351-3_8
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Sponge functions (ECRYPT Hash Function Workshop 2007) (2007).
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Cryptographic sponge functions—version 0.1. (2011)
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission. Submission to NIST (Round 3) (2011).
  11. 11.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567 (2012). doi: 10.1109/SP.2012.44
  12. 12.
    Chakrabarti, S., Singbal, M.: Password-based authentication: preventing dictionary attacks. Computer 40(6), 68–74 (2007). doi: 10.1109/MC.2007.216 CrossRefGoogle Scholar
  13. 13.
    Chang, S.J., Perlner, R., Burr, W.E., Turan, M.S., Kelsey, J.M., Paul, S., Bassham, L.E.: Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition. US Department of Commerce, National Institute of Standards and Technology (2012).
  14. 14.
    Chung, E.S., Milder, P.A., Hoe, J.C., Mai, K.: Single-chip heterogeneous computing: Does the future include custom logic, FPGAs, and GPGPUs? In: Proc. of the 43rd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO’43, pp. 225–236. IEEE Computer Society, Washington, DC (2010). doi: 10.1109/MICRO.2010.36
  15. 15.
    Conklin, A., Dietrich, G., Walz, D.: Password-based authentication: a system perspective. In: Proc. of the 37th Annual Hawaii International Conference on System Sciences (HICSS’04), HICSS’04, vol. 7, pp. 170–179. IEEE Computer Society, Washington, DC (2004).
  16. 16.
    Crew, B.: New carnivorous harp sponge discovered in deep sea. Nature (2012). doi: 10.1038/nature.2012.11789.
  17. 17.
    Daemen, J., Rijmen, V.: A new MAC construction alred and a specific instance alpha-mac. In: Fast Software Encryption—FSE’05, pp. 1–17 (2005). doi: 10.1007/11502760_1
  18. 18.
    Daemen, J., Rijmen, V.: Refinements of the alred construction and MAC security claims. Inf. Secur. IET 4(3), 149–157 (2010). doi: 10.1049/iet-ifs. 2010.0015CrossRefGoogle Scholar
  19. 19.
    Dandass, Y.S.: Using FPGAs to parallelize dictionary attacks for password cracking. In: Proc. of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), pp. 485–485. IEEE (2008). doi: 10.1109/HICSS.2008.484
  20. 20.
    Dürmuth, M., Güneysu, T., Kasper, M.: Evaluation of standardized password-based key derivation against parallel processing platforms. In: Computer Security-ESORICS 2012, LNCS, vol. 7459, pp. 716–733. Springer, Berlin (2012). doi: 10.1007/978-3-642-33167-1_41
  21. 21.
    Florencio, D., Herley, C.: A large scale study of web password habits. Proc. of the 16th International Conference on World Wide Web. Alberta, pp. 657–666 (2007)Google Scholar
  22. 22.
    Fowers, J., Brown, G., Cooke, P., Stitt, G.: A performance and energy comparison of FPGAs, GPUs, and multicores for sliding-window applications. In: Proceedings of the ACM/SIGDA Internbational Symposium on Field Programmable Gate Arrays (FPGA’12), pp. 47–56. ACM, New York (2012). doi: 10.1145/2145694.2145704
  23. 23.
    Halderman, J., Schoen, S., Heninger, N., Clarkson, W., Paul, W., Calandrino, J., Feldman, A., Appelbaum, J., Felten, E.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009). doi: 10.1145/1506409.1506429 CrossRefGoogle Scholar
  24. 24.
    Herley, C., van Oorschot, P., Patrick, A.: Passwords: If we’re so smart, why are we still using them? In: Financial Cryptography and Data Security, LNCS, vol. 5628, pp. 230–237. Springer, Berlin (2009). doi: 10.1007/978-3-642-03549-4_14
  25. 25.
    Kakarountas, A.P., Michail, H., Milidonis, A., Goutis, C.E., Theodoridis, G.: High-speed FPGA implementation of secure hash algorithm for IPSec and VPN applications. J. Supercomput. 37(2), 179–195 (2006). doi: 10.1007/s11227-006-5682-5 CrossRefGoogle Scholar
  26. 26.
    Kaliski, B.: PKCS#5: Password-based cryptography specification version 2.0 (RFC 2898) (2000).
  27. 27.
    Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure applications of low-entropy keys. In: Proceedings of the 1st International Workshop on Information Security, ISW ’97, pp. 121–134. Springer, London (1998)Google Scholar
  28. 28.
    Khronos Group: The OpenCL specification—version 1.2 (2012)Google Scholar
  29. 29.
    Marechal, M.: Advances in password cracking. J. Comput. Virol. 4(1), 73–81 (2008). doi: 10.1007/s11416-007-0064-y CrossRefGoogle Scholar
  30. 30.
    Ming, M., Qiang, H., Zeng, S.: Security analysis of BLAKE-32 based on differential properties. In: 2010 International Conference on Computational and Information Sciences (ICCIS), IEEE, pp. 783–786 (2010).
  31. 31.
    NIST: Federal Information Processing Standard (FIPS PUB 198)—the Keyed-Hash Message Authentication Code. National Institute of Standards and Technology, U.S. Department of Commerce (2002).
  32. 32.
    NIST: Special Publication 800-18—recommendation for key derivation using pseudorandom functions. National Institute of Standards and Technology, U.S. Department of Commerce (2009).
  33. 33.
    NIST: Special Publication 800-63-1—Electronic Authentication Guideline. National Institute of Standards and Technology, U.S. Department of Commerce (2011).
  34. 34.
    Nvidia: CUDA C programming guide. (2012)
  35. 35.
    Nvidia: Tesla Kepler family product overview. (2012)
  36. 36.
    Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCan 2009—The Technical BSD Conference (2009).
  37. 37.
    PHC: Password hashing competition. (2013)
  38. 38.
    Provos, N., Mazières, D.: A future-adaptable password scheme. In: Proceedings of the FREENIX track: 1999 USENIX Annual Technical Conference (1999)Google Scholar
  39. 39.
    Schneier, B.: Description of a new variable-length key, 64-bit block cipher (Blowfish). Fast Software Encryption, pp. 191–204. Cambridge Security Workshop. Springer, London (1994)Google Scholar
  40. 40.
  41. 41.
  42. 42.
    Simplicio Jr, M.A., Barbuda, P., Barreto, P., Carvalho, T., Margi, C.: The marvin message authentication code and the lettersoup authenticated encryption scheme. Secur. Commun. Netw. 2, 165–180 (2009). doi: 10.1002/sec.66
  43. 43.
    Simplicio Jr, M.A., Barreto, P.S.L.M.: Revisiting the security of the alred design and two of its variants: Marvin and LetterSoup. IEEE Trans. Inf. Theory 58(9), 6223–6238 (2012). doi: 10.1109/TIT.2012.2203093 CrossRefMathSciNetGoogle Scholar
  44. 44.
    Sprengers, M.: GPU-based password cracking: on the security of password hashing schemes regarding advances in graphics processing units. Master’s thesis, Radboud University Nijmegen (2011).
  45. 45.
    TrendForce: DRAM contract price (jan.15 2013). (visited on Apr. 22, 2013) (2013)
  46. 46.
    TrueCrypt: TrueCrypt: Free open-source on-the-fly encryption—documentation. (2012)
  47. 47.
    Weir, M., Aggarwal, S., Medeiros, B.d., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP’09, pp. 391–405. IEEE Computer Society, Washington, DC (2009). doi: 10.1109/SP.2009.8
  48. 48.
    Yao, F., Yin, Y.: Design and analysis of password-based key derivation functions. IEEE Trans. Inf. Theory 51(9), 3292–3297 (2005). doi: 10.1109/TIT.2005.853307 CrossRefMathSciNetGoogle Scholar
  49. 49.
    Yuill, J., Denning, D., Feer, F.: Using deception to hide things from hackers: processes, principles, and techniques. J. Inf. Warfare 5(3), 26–40 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Leonardo C. Almeida
    • 1
  • Ewerton R. Andrade
    • 1
  • Paulo S. L. M. Barreto
    • 1
  • Marcos A. SimplicioJr
    • 1
    Email author
  1. 1.Escola Politécnica, Universidade de São Paulo (Poli-USP)São PauloBrazil

Personalised recommendations