Remove ads
Key derivative function From Wikipedia, the free encyclopedia
Lyra2 is a password hashing scheme (PHS) that can also function as a key derivation function (KDF). It gained recognition during the Password Hashing Competition in July 2015,[1] which was won by Argon2. It is also used in proof-of-work algorithms such as Lyra2REv2,[2] adopted by Vertcoin[3] and MonaCoin,[4] among other cryptocurrencies.[5]
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
Lyra2 was designed by Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos, and Paulo S. L. M. Barreto from Escola Politécnica da Universidade de São Paulo.[6] It is based on Lyra,[7][8] which had been created by the same team. Lyra2 includes:
In addition, it:[9]
Lyra2 is released into the public domain.[citation needed]
As any PHS, Lyra2 takes as input a salt and a password, creating a pseudorandom output that can then be used as key material for cryptographic algorithms or as an authentication string.[10][failed verification][citation needed]
Internally, the scheme's memory is organized as a matrix that is expected to remain in memory during the whole password hashing process. Since its cells are iteratively read and written, discarding a cell for saving memory leads to the need of recomputing it whenever it is accessed once again, until the point it was last modified.[5]
The construction and visitation of the matrix is done using a stateful combination of the absorbing, squeezing and duplexing operations of the underlying sponge (i.e., its internal state is never reset to zero), ensuring the sequential nature of the whole process.
Also, the number of times the matrix's cells are revisited after initialization is defined by the user, allowing Lyra2's execution time to be fine-tuned according to the target platform's resources.
The algorithm additionally enables parameterization in terms of:[11]
||
^
[+]
%
W
omega
>>>
rho
blen
H or H_i
H.absorb(input)
H.squeeze(len)
H.squeeze_{rho}(len)
H.duplexing(input,len)
H.duplexing_{rho}(input,len)
pad(string)
lsw(input)
len(string)
syncThreads()
swap(input1,input2)
C
P
P >= 1
and (m_cost/2) % P == 0
)** Bootstrapping phase: Initializes the sponge's state and local variables # Byte representation of input parameters (others can be added) params = outlen || len(password) || len(salt) || t_cost || m_cost || C # Initializes the sponge's state (after that, password can be overwritten) H.absorb( pad(password || salt || params) ) # Initializes visitation step, window and first rows that will feed gap = 1 stp = 1 wnd = 2 sqrt = 2 prev0 = 2 row1 = 1 prev1 = 0 ** Setup phase: Initializes a (m_cost x C) memory matrix, its cells having blen-byte cells # Initializes M[0], M[1] and M[2] for col = 0 to C-1 M[0][C-1-col] = H.squeeze_{rho}(blen) for col = 0 to C-1 M[1][C-1-col] = H.duplexing_{rho}( M[0][col], blen) for col = 0 to C-1 M[2][C-1-col] = H.duplexing_{rho}( M[1][col], blen) # Filling Loop: initializes remainder rows for row0 = 3 to m_cost-1 # Columns Loop: M[row0] is initialized and M[row1] is updated for col = 0 to C-1 rand = H.duplexing_{rho}( M[row1][col] [+] M[prev0][col] [+] M[prev1][col], blen) M[row0][C-1-col] = M[prev0][col] ^ rand M[row1][col] = M[row1][col] ^ ( rand >>> omega ) # Rows to be revisited in next loop prev0 = row0 prev1 = row1 row1 = (row1 + stp) % wnd # Window fully revisited if (row1 = 0) # Doubles window and adjusts step wnd = 2 * wnd stp = sqrt + gap gap = -gap # Doubles sqrt every other iteration if (gap = -1) sqrt = 2 * sqrt ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix # Visitation Loop: (2 * m_cost * t_cost) rows revisited in pseudorandom fashion for wCount = 0 to ( (m_cost * t_cost) - 1) # Picks pseudorandom rows row0 = lsw(rand) % m_cost row1 = lsw( rand >>> omega ) % m_cost # Columns Loop: updates both M[row0] and M[row1] for col = 0 to C-1 # Picks pseudorandom columns col0 = lsw( ( rand >>> omega ) >>> omega ) % C col1 = lsw( ( ( rand >>> omega ) >>> omega ) >>> omega ) % C rand = H.duplexing_{rho}( M[row0][col] [+] M[row1][col] [+] M[prev0][col0] [+] M[prev1][col1], blen) M[row0][col] = M[row0][col] ^ rand M[row1][col] = M[row1][col] ^ ( rand >>> omega ) # Next iteration revisits most recently updated rows prev0 = row0 prev1 = row1 ** Wrap-up phase: output computation # Absorbs a final column with a full-round sponge H.absorb( M[row0][0] ) # Squeezes outlen bits with a full-round sponge output = H.squeeze(outlen) # Provides outlen-long bitstring as output return output
for each i in [0..P] ** Bootstrapping phase: Initializes the sponge's state and local variables # Byte representation of input parameters (others can be added) params = outlen || len(password) || len(salt) || t_cost || m_cost || C || P || i # Initializes the sponge's state (after that, password can be overwritten) H_i.absorb( pad(password || salt || params) ) # Initializes visitation step, window and first rows that will feed gap = 1 stp = 1 wnd = 2 sqrt = 2 sync = 4 j = i prev0 = 2 rowP = 1 prevP = 0 ** Setup phase: Initializes a (m_cost x C) memory matrix, its cells having blen-byte cells # Initializes M_i[0], M_i[1] and M_i[2] for col = 0 to C-1 M_i[0][C-1-col] = H_i.squeeze_{rho}(blen) for col = 0 to C-1 M_i[1][C-1-col] = H_i.duplexing_{rho}( M_i[0][col], blen) for col = 0 to C-1 M_i[2][C-1-col] = H_i.duplexing_{rho}( M_i[1][col], blen) # Filling Loop: initializes remainder rows for row0 = 3 to ( (m_cost / P) - 1 ) # Columns Loop: M_i[row0] is initialized and M_j[row1] is updated for col = 0 to C-1 rand = H_i.duplexing_{rho}( M_j[rowP][col] [+] M_i[prev0][col] [+] M_j[prevP][col], blen) M_i[row0][C-1-col] = M_i[prev0][col] ^ rand M_j[rowP][col] = M_j[rowP][col] ^ ( rand >>> omega ) # Rows to be revisited in next loop prev0 = row0 prevP = rowP rowP = (rowP + stp) % wnd # Window fully revisited if (rowP = 0) # Doubles window and adjusts step wnd = 2 * wnd stp = sqrt + gap gap = -gap # Doubles sqrt every other iteration if (gap = -1) sqrt = 2 * sqrt # Synchronize point if (row0 = sync) sync = sync + (sqrt / 2) j = (j + 1) % P syncThreads() syncThreads() ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix wnd = m_cost / (2 * P) sync = sqrt off0 = 0 offP = wnd # Visitation Loop: (2 * m_cost * t_cost / P) rows revisited in pseudorandom fashion for wCount = 0 to ( ( (m_cost * t_cost) / P) - 1) # Picks pseudorandom rows and slices (j) row0 = off0 + (lsw(rand) % wnd) rowP = offP + (lsw( rand >>> omega ) % wnd) j = lsw( ( rand >>> omega ) >>> omega ) % P # Columns Loop: update M_i[row0] for col = 0 to C-1 # Picks pseudorandom column col0 = lsw( ( ( rand >>> omega ) >>> omega ) >>> omega ) % C rand = H_i.duplexing_{rho}( M_i[row0][col] [+] M_i[prev0][col0] [+] M_j[rowP][col], blen) M_i[row0][col] = M_i[row0][col] ^ rand # Next iteration revisits most recently updated rows prev0 = row0 # Synchronize point if (wCount = sync) sync = sync + sqrt swap(off0,offP) syncThreads() syncThreads() ** Wrap-up phase: output computation # Absorbs a final column with a full-round sponge H_i.absorb( M_i[row0][0] ) # Squeezes outlen bits with a full-round sponge output_i = H_i.squeeze(outlen) # Provides outlen-long bitstring as output return output_0 ^ ... ^ output_{P-1}
Against Lyra2, the processing cost of attacks using of the amount of memory employed by a legitimate user is expected to be between and , the latter being a better estimate for , instead of the achieved when the amount of memory is , where is a user-defined parameter to define a processing time.
This compares well to Scrypt, which displays a cost of when the memory usage is high,[12] and with other solutions in the literature, for which the results are usually .[7][13][14][15]
Nonetheless, in practice these solutions usually involve a value of (memory usage) lower than those attained with the Lyra2 for the same processing time.[16][17][18][19][20]
The processing time obtained with an SSE single-core implementation of Lyra2 is illustrated in the hereby shown figure. This figure was extracted from,[9] and is very similar to, third-party benchmarks performed during the PHC context.[16][17][18][19][20]
The results depicted correspond to the average execution time of Lyra2 configured with , , bits (i.e., the inner state has 256 bits), and different and settings, giving an overall idea of possible combinations of parameters and the corresponding usage of resources.
As shown in this figure, Lyra2 is able to execute in: less than 1 s while using up to 400 MB (with and ) or up to 1 GB of memory (with and ); or in less than 5 s with 1.6 GB (with and ).
All tests were performed on an Intel Xeon E5-2430 (2.20 GHz with 12 Cores, 64 bits) equipped with 48 GB of DRAM, running Ubuntu 14.04 LTS 64 bits, and the source code was compiled using GCC 4.9.2.[9]
Lyra offers two main extensions:[11]
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.