Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security and Cryptology

Inscrypt 2014: Information Security and Cryptology pp 361–381Cite as

Rig: A Simple, Secure and Flexible Design for Password Hashing

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8957))

Abstract

Password Hashing, a technique commonly implemented by a server to protect passwords of clients, by performing a one-way transformation on the password, turning it into another string called the hashed password. In this paper, we introduce a secure password hashing framework Rig which is based on secure cryptographic hash functions. It provides the flexibility to choose different functions for different phases of the construction. The design of the scheme is very simple to implement in software and is flexible as the memory parameter is independent of time parameter (no actual time and memory trade-off) and is strictly sequential (difficult to parallelize) with comparatively huge memory consumption that provides strong resistance against attackers using multiple processing units. It supports client-independent updates, i.e., the server can increase the security parameters by updating the existing password hashes without knowing the password. Rig can also support the server relief protocol where the client bears the maximum effort to compute the password hash, while there is minimal effort at the server side. We analyze Rig and show that our proposal provides an exponential time complexity against the low-memory attack.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The idea of using reduced-round Blake2b is inspired from [2, 5].

References

  1. Password Hashing Competition (PHC) (2014). https://password-hashing.net/index.html

  2. Almeida, L.C., Andrade, E.R., Barreto, P.S.L.M., Simplício, Jr., M.A.: Lyra: Password-Based Key Derivation with Tunable Memory and Processing Costs. IACR Cryptology ePrint Archive 2014:30 (2014)

    Google Scholar 

  3. Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: Simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013)

    Google Scholar 

  4. Carvalho, C.: The gap between processor and memory speeds. In: Proceedings of IEEE International Conference on Control and Automation (2002)

    Google Scholar 

  5. Daemen, J., Rijmen, V.: A new MAC construction ALRED and a specific instance ALPHA-MAC. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 1–17. Springer, Heidelberg (2005)

    Google Scholar 

  6. Dürmuth, M., Güneysu, T., Kasper, M., Paar, C., Yalcin, T., Zimmermann, R.: Evaluation of standardized password-based key derivation against parallel processing platforms. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 716–733. Springer, Heidelberg (2012)

    Google Scholar 

  7. Forler, C., Lucks, S., Wenzel, J.: The Catena Password Scrambler, Submission to Password Hashing Competition (PHC) (2014)

    Google Scholar 

  8. Gray, J., Shenoy, P.: Rules of Thumb in Data Engineering. Technical Report, MS-TR-99-100, Microsoft Research, Advanced Technology Division. December 1999, Revised March 2000

    Google Scholar 

  9. Lengauer, T., Tarjan, R.E.: Upper and lower bounds on time-space tradeoffs. In: Proceedings of the 11h Annual ACM Symposium on Theory of Computing, April 30 – May 2, 1979, Atlanta, Georgia, USA, pp. 262–277 (1979)

    Google Scholar 

  10. Burr, W., Turan, M.S., Barker, E., Chen, L.: NIST: Special Publication 800–132, Recommendation for Password-Based Key Derivation. Computer Security Division Information Technology Laboratory. http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf

  11. Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCon (2009). http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf

  12. Provos, N., Mazières, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91. USENIX (1999)

    Google Scholar 

  13. Schaller, R.R.: Moore’s law: past, present, and future. IEEE Spectrum, June 1997

    Google Scholar 

Download references

Acknowledgments

We would like to thank the anonymous reviewers of Inscrypt and the contributors to the PHC mailing list (specially Bill Cox) whose comments helped improve the paper significantly.

Author information

Authors and Affiliations

  1. Indraprastha Institute of Information Technology, Delhi (IIIT-D), Delhi, India

    Donghoon Chang, Arpan Jati, Sweta Mishra & Somitra Kumar Sanadhya

Authors
  1. Donghoon Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arpan Jati
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sweta Mishra
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Somitra Kumar Sanadhya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sweta Mishra .

Editor information

Editors and Affiliations

  1. SKLOIS, Institute of Engineering, Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

  2. Computer Science Department, Columbia University, New York, New York, USA

    Moti Yung

  3. Infocomm Security Department, Institute for Infocomm Research, Singapore, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Chang, D., Jati, A., Mishra, S., Sanadhya, S.K. (2015). Rig: A Simple, Secure and Flexible Design for Password Hashing. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16745-9_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16744-2

  • Online ISBN: 978-3-319-16745-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation