Paper 2015/009

Rig: A simple, secure and flexible design for Password Hashing

Donghoon Chang, Arpan Jati, Sweta Mishra, and Somitra Kumar Sanadhya

Abstract

Password Hashing, a technique commonly implemented by a server to protect passwords of clients, by performing a one-way transformation on the password, turning it into another string called the hashed password. In this paper, we introduce a secure password hashing framework Rig which is based on secure cryptographic hash functions. It provides the flexibility to choose different functions for different phases of the construction. The design of the scheme is very simple to implement in software and is flexible as the memory parameter is independent of time parameter (no actual time and memory trade-off) and is strictly sequential (difficult to parallelize) with comparatively huge memory consumption that provides strong resistance against attackers using multiple processing units. It supports client-independent updates, i.e., the server can increase the security parameters by updating the existing password hashes without knowing the password. Rig can also support the server relief protocol where the client bears the maximum effort to compute the password hash, while there is minimal effort at the server side. We analyze Rig and show that our proposal provides an exponential time complexity against the low-memory attack.

Note: While filling the form there was a typo mistake at the title of the paper. It was showing 'exible' in place of 'flexible'.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. Inscrypt 2014 Conference
Keywords
PasswordPassword hashingGPU attackCache-timing attackClient-independent updateServer-relief technique
Contact author(s)
swetam @ iiitd ac in
History
2015-01-07: revised
2015-01-07: received
See all versions
Short URL
https://ia.cr/2015/009
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/009,
      author = {Donghoon Chang and Arpan Jati and Sweta Mishra and Somitra Kumar Sanadhya},
      title = {Rig: A simple, secure and flexible design for Password Hashing},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/009},
      year = {2015},
      url = {https://eprint.iacr.org/2015/009}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.