A Memory-Hard Function for Password Hashing and Key Derivation

  • Charles F. de Barros UFSJ


Key derivation and password scrambling are crucial procedures in cryptographic applications, and the security of these methods against brute-force attacks is a critical concern in face of the increasing computational power available to perform these attacks. This paper proposes a candidate memory-hard function for password scrambling and key derivation, based on some design principles such as flexibility, variable-length output, adjustable parametrization to achieve high cache miss rates and dynamic update of the internal buffer.


Almeida, L. C., Andrade, E. R., Barreto, P. S. L. M., and Jr., M. A. S. (2014). Lyra: Password-based key derivation with tunable memory and processing costs. Cryptology ePrint Archive, Paper 2014/030. https://eprint.iacr.org/2014/030.

Blocki, J., Ren, L., and Zhou, S. (2018). Bandwidth-hard functions: Reductions and lower bounds. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 1820–1836, New York, NY, USA. Association for Computing Machinery.

Boneh, D., Corrigan-Gibbs, H., and Schechter, S. (2016). Balloon hashing: A memory-hard function providing provable protection against sequential attacks. In Cheon, J. H. and Takagi, T., editors, Advances in Cryptology – ASIACRYPT 2016, pages 220–248, Berlin, Heidelberg. Springer Berlin Heidelberg.

Dandass, Y. S. (2008). Using FPGAs to parallelize dictionary attacks for password cracking. In Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), pages 485–485.

Forler, C., Lucks, S., and Wenzel, J. (2013). Catena: A memory-consuming password-scrambling framework. Cryptology ePrint Archive, Paper 2013/525. https://eprint.iacr.org/2013/525.

Hansen, T. and 3rd, D. E. E. (2006). US Secure Hash Algorithms (SHA and HMAC-SHA). RFC 4634.

Hellman, M. (1980). A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory, 26(4):401–406.

Josefsson, S. (2011). PKCS 5: Password-Based Key Derivation Function 2 (PBKDF2) Test Vectors. RFC 6070.

Jr., M. A. S., Almeida, L. C., Andrade, E. R., dos Santos, P. C. F., and Barreto, P. S. L. M. (2015). Lyra2: Efficient password hashing with high security against time-memory trade-offs. Cryptology ePrint Archive, Paper 2015/136. https://eprint.iacr.org/2015/136.

Kini, N. G., Paleppady, R., and Naik, A. K. (2015). Password cracking on graphics processing unit based systems. International Journal of Humanities and Social Sciences, 9(12):2442 – 2445.

Percival, C. and Josefsson, S. (2016). RFC 7914: The scrypt password-based key derivation function.
BARROS, Charles F. de. A Memory-Hard Function for Password Hashing and Key Derivation. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 23. , 2023, Juiz de Fora/MG. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2023 . p. 522-527. DOI: https://doi.org/10.5753/sbseg.2023.232827.