Catena Variants

Different Instantiations for an Extremely Flexible Password-Hashing Framework
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9551)


Catena is a password-scrambling framework characterized by its high flexibility. The user (defender) can simply adapt the underlying (cryptographic) primitives, the underlying memory-hard function, and the time (\(\lambda \)) and memory (garlic) parameters, to render it suitable for a wide range of applications. This enables Catena to maximize the defense against specific adversaries, their capabilities and goals, and to cope with a high variation of hardware and constraints on the side of the defender. Catena has obtained special recognition of the Password Hashing Competition (PHC), alongside of the winner Argon2.

    In addition to the default instantiations presented in the PHC submission, we want to use this document to introduce further variants of Catena, or rather, further instantiations of the Catena framework. Our instantiations use different hash functions, and we evaluate their influence on the computational time and the throughput. Next, we discuss how instantiations of the memory-hard graph-based algorithm influence the computational time and resistance against low-memory attacks. Furthermore, we introduce possible extensions of Catena accommodating strong resistance against GPU- and ASIC-based adversaries, e.g., by providing sequential memory-hardness due to a data-dependent indexing function. At the end, we combine particular instantiations discussed so far to construct full-fledged variants of Catena for certain goals. Hence, this document can be seen as an additional guide to the PHC submission of Catena when considering its usage under certain restrictions.


Catena Instantiations Password hashing competition 



We would like to thank S. Schmidt and H. Schilling for their work on the reference implementation of Catena as well as on the tool Catena-Variants, E. List for his helpful comments and fruitful discussions, and H. Schilling for his analysis of the underlying graph-based structures. Furthermore, we would like to thank the reviewers of the Passwords 2015 for their helpful comments.

Supplementary material


  1. 1.
    Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, June 14–17, 2015, pp. 595–603 (2015)Google Scholar
  2. 2.
    Aumasson, J.-P.: Password Hashing Competition (2015). Accessed 3 September 2015
  3. 3.
    Aumasson, J.-P.: Password Hashing Competition - Candidates.
  4. 4.
    Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES (2005)Google Scholar
  6. 6.
    Biryukov, A., Dinu, D., Khovratovich, D.: Argon2. Password Hashing Competition, Winner (2015).
  7. 7.
    Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of Catena. PHC mailing list: discussions@password-hashing.netGoogle Scholar
  8. 8.
    Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard functions. IACR Cryptol. ePrint Arch. 2015, 227 (2015)MathSciNetzbMATHGoogle Scholar
  9. 9.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, May 2012Google Scholar
  10. 10.
    Brent, R.P., Gaudry, P., Thomé, E., Zimmermann, P.: Faster Multiplication in GF(2) [x]. In: ANTS, pp. 153–166 (2008)Google Scholar
  11. 11.
    Cox, B.: TwoCats (and SkinnyCat): A Compute Time and Sequential Memory Hard Password Hashing Scheme (2014).
  12. 12.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Overview of the candidates for the password hashing competition - and their resistance against garbage-collector attacks. IACR Cryptol. ePrint Arch. 2014, 881 (2014)Google Scholar
  13. 13.
    Forler, C., Lucks, S., Wenzel, J.: Catena: A Memory-Consuming Password Scrambler. Cryptology ePrint Archive, Report 2013/525 (2013).
  14. 14.
    Forler, Christian, Lucks, Stefan, Wenzel, Jakob: Memory-demanding password scrambling. In: Sarkar, Palash, Iwata, Tetsu (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 289–305. Springer, Heidelberg (2014)Google Scholar
  15. 15.
    Forler, C., Lucks, S., Wenzel, J.: The Catena Password-Scrambling Framework. Password Hashing Competition, 2nd round submission (2015).
  16. 16.
    funkysash. catena-variants (2015).
  17. 17.
    Gray, F.: Pulse Code Communication. Bell Telephone Labor Inc., New York (1953). US Patent 2,632,058,Google Scholar
  18. 18.
    Gueron, S., Kounavis, M.E.: Intel carry-less multiplication instruction and its usage for computing the GCM Mode - Rev 2.01. Intel White Paper. Technical report, Intel corporation, September 2012Google Scholar
  19. 19.
    Harris, B.: Replacement index function for data-independent schemes (Catena) (2015).
  20. 20.
    HPSchilling. catena-variants (2015).
  21. 21.
    Kaliski, B.: RFC 2898 - PKCS #5: Password-Based cryptography specification Version 2.0. Technical report, IETF (2000)Google Scholar
  22. 22.
    Lengauer, T., Tarjan, R.E.: Asymptotically tight bounds on time-space trade-offs in a pebble game. J. ACM 29(4), 1087–1130 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Lystad, T.A.: Leaked password lists and dictionaries - The Password Project. Accessed 16 May 2013
  24. 24.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Percival, C.: Stronger Key Derivation via Sequential Memory-Hard Functions. presented at BSDCan 2009, May 2009Google Scholar
  26. 26.
    Peslyak, A.: yescrypt - a Password Hashing Competition submission (2015).
  27. 27.
    Pornin, T.: The MAKWA Password Hashing Function (2015).
  28. 28.
    Provos, N., Mazières, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91. USENIX (1999)Google Scholar
  29. 29.
    Shand, M., Bertin, P., Vuillemin, J.: Hardware speedups in long integer multiplication. In: SPAA, pp. 138–145 (1990)Google Scholar
  30. 30.
    Simplicio, M., Almeida, L., dos Santos, P., Barreto, P.: The Lyra2 reference guide. Password Hashing Competition, 2nd round submission (2015).
  31. 31.
    Soderquist, P., Leeser, M.: An area/performance comparison of subtractive and multiplicative divide/square root implementations. In: 12th Symposium on Computer Arithmetic ARITH-12 1995, July 19–21, 1995, Bath, England, UK, pp. 132–139 (1995)Google Scholar
  32. 32.
    Cox, B.: MultHash - A simple multiplication speed limited hash function (2014). (waywardgeek)

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Bauhaus-Universität WeimarWeimarGermany

Personalised recommendations