Visible to the public CRII: SaTC: Towards the Development of Stronger Memory-Hard Functions for Secure Password HashingConflict Detection Enabled

Project Details

Performance Period

Aug 01, 2018 - Jul 31, 2020


Purdue University


National Science Foundation

Award Number

Recent data breaches have exposed billions of user passwords to the dangerous threat of an offline password attacker who attempts to guess each user's password by brute force. Because an offline attacker can validate each password guess by itself using stolen password hashes from a data breach it is not possible to "lock out" an offline attacker after several incorrect guesses. The attacker is limited only by the computational resources necessary to mount a brute-force attack. To mitigate the risk of an offline attack the goal of a secure password hashing algorithm is to ensure that a brute force attack is prohibitively expensive even if the attacker has access to customized hardware such as an Application Specific Integrated Circuit (ASIC) that is optimized for password cracking. Memory hard functions (MHFs), functions whose computation require a large amount of memory, are a crucial cryptographic tool to achieve this goal since memory is expensive even on an ASIC. This project advances scientific understanding of memory hard functions and will directly impact future cryptographic standards for password hashing.

The project is developing improved cryptanalysis techniques to evaluate the security of an MHF resulting in a deeper understanding of currently deployed MHFs. A main goal of this work is to design practical constructions of MHFs with provably optimal memory hardness in terms of bandwidth hardness, sustained space complexity, and amortized area-time complexity. Furthermore, the project focuses on establishing a scientific basis for tuning the parameters of an MHF to ensure that brute-force attacks are prohibitively expensive.