12,746 research outputs found
RiffleScrambler - a memory-hard password storing function
We introduce RiffleScrambler: a new family of directed acyclic graphs and a
corresponding data-independent memory hard function with password independent
memory access. We prove its memory hardness in the random oracle model.
RiffleScrambler is similar to Catena -- updates of hashes are determined by a
graph (bit-reversal or double-butterfly graph in Catena). The advantage of the
RiffleScrambler over Catena is that the underlying graphs are not predefined
but are generated per salt, as in Balloon Hashing. Such an approach leads to
higher immunity against practical parallel attacks. RiffleScrambler offers
better efficiency than Balloon Hashing since the in-degree of the underlying
graph is equal to 3 (and is much smaller than in Ballon Hashing). At the same
time, because the underlying graph is an instance of a Superconcentrator, our
construction achieves the same time-memory trade-offs.Comment: Accepted to ESORICS 201
Navigating in the Cayley graph of and applications to hashing
Cayley hash functions are based on a simple idea of using a pair of
(semi)group elements, and , to hash the 0 and 1 bit, respectively, and
then to hash an arbitrary bit string in the natural way, by using
multiplication of elements in the (semi)group. In this paper, we focus on
hashing with matrices over . Since there are many known pairs
of matrices over that generate a free monoid, this yields
numerous pairs of matrices over , for a sufficiently large prime , that
are candidates for collision-resistant hashing. However, this trick can
"backfire", and lifting matrix entries to may facilitate finding a
collision. This "lifting attack" was successfully used by Tillich and Z\'emor
in the special case where two matrices and generate (as a monoid) the
whole monoid . However, in this paper we show that the situation
with other, "similar", pairs of matrices from is different, and the
"lifting attack" can (in some cases) produce collisions in the group generated
by and , but not in the positive monoid. Therefore, we argue that for
these pairs of matrices, there are no known attacks at this time that would
affect security of the corresponding hash functions. We also give explicit
lower bounds on the length of collisions for hash functions corresponding to
some particular pairs of matrices from .Comment: 10 page
- β¦