Lyra2
Lyra2 is a password hashing scheme that can also work as a key derivation function. It received a special recognition during the Password Hashing Competition in July 2015., which was won by Argon2. Besides being used for its original purposes, it is also in the core of proof-of-work algorithms such as Lyra2REv2, adopted by Vertcoin, MonaCoin, among other cryptocurrencies
Lyra2 was designed by Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos, and Paulo S. L. M. Barreto from Escola Politécnica da Universidade de São Paulo.. It is an improvement over Lyra, previously proposed by the same authors. Lyra2 preserves the security, efficiency and flexibility of its predecessor, including: the ability to configure the desired amount of memory, processing time and parallelism to be used by the algorithm; and the capacity of providing a high memory usage with a processing time similar to that obtained with scrypt. In addition, it brings the following improvements when compared to its predecessor:
- it allows a higher security level against attack venues involving time-memory trade-offs
- it allows legitimate users to benefit more effectively from the parallelism capabilities of their own platforms
- it includes tweaks for increasing the costs involved in the construction of dedicated hardware to attack the algorithm
- it balances resistance against side-channel threats and attacks relying on cheaper storage devices
- Lyra2 is released under public domain, and provides two main extensions:
- Lyra2-δ, gives the user better control over the algorithm's bandwidth usage
- Lyra2p, takes advantage of parallelism capabilities on the legitimate user's platform
- execution time
- memory required
- degree of parallelism
- underlying permutation function
- number of blocks used by the underlying permutation function
- number of rounds performed for the underlying permutation function
- number of bits to be used in rotations
- output length
Strengths
- High resistance against processing-memory tradeoffs: estimated processing costs of attacks with low memory usage involve a factor that grows exponentially with time cost due to recomputations
- Memory and time costs can be decoupled, allowing the resources' usage to be fine-tuned
- Fast due to use of reduced-round sponge function in the algorithm's core
- Can provide outputs of any desired length, behaving as a key derivation function
- Design combines resistance to side-channel attacks and to attacks involving cheap memory devices, aiming to balance such conflicting requirements
- Considers a wide range of configurations for protecting against attacking platforms while optimizing execution on legitimate platform, such as:
- *Support for parallelism, for multi-core platforms, without giving much advantage to GPU-based attacks
- *Capability of using different underlying sponge functions depending on the target platform
- *Ability to raise the algorithm's memory bandwidth usage
Design
Internally, the scheme's memory is organized as a matrix that is expected to remain in memory during the whole password hashing process: since its cells are iteratively read and written, discarding a cell for saving memory leads to the need of recomputing it whenever it is accessed once again, until the point it was last modified.
The construction and visitation of the matrix is done using a stateful combination of the absorbing, squeezing and duplexing operations of the underlying sponge, ensuring the sequential nature of the whole process.
Also, the number of times the matrix's cells are revisited after initialization is defined by the user, allowing Lyra2's execution time to be fine-tuned according to the target platform's resources.
- *** Functions/symbols ***
- || Concatenate two strings
- ^ Bitwise XOR
- Wordwise add operation
- % Modulus
- W The target machine's word size
- omega Number of bits to be used in rotations
- >>> Right rotation
- rho Number of rounds for reduced squeeze or duplexing operations
- blen Sponge's block size in bytes
- H or H_i Sponge with block size blen and underlying permutation f
- H.absorb Sponge's absorb operation on input
- H.squeeze Sponge's squeeze operation of len bytes
- H.squeeze_ Sponge's squeeze operation of len bytes using rho rounds of f
- H.duplexing Sponge's duplexing operation on input, producing len bytes
- H.duplexing_ Sponge's duplexing operation on input, using rho rounds of f, producing len bytes
- pad Pads a string to a multiple of blen bytes
- lsw The least significant word of input
- len Length of a string, in bytes
- syncThreads Synchronize parallel threads
- swap Swap the value of two inputs
- C Number of columns on the memory matrix
- P Degree of parallelism
- *** Inputs ***
- password
- salt
- t_cost
- m_cost
- outlen
- *** Algorithm without parallelism ***
- ** Bootstrapping phase: Initializes the sponge's state and local variables
- Byte representation of input parameters
- Initializes the sponge's state
- Initializes visitation step, window and first rows that will feed
stp = 1
wnd = 2
sqrt = 2
prev0 = 2
row1 = 1
prev1 = 0
- ** Setup phase: Initializes a memory matrix, its cells having blen-byte cells
- Initializes M, M and M
M = H.squeeze_
for col = 0 to C-1
M = H.duplexing_
for col = 0 to C-1
M = H.duplexing_
- Filling Loop: initializes remainder rows
# Columns Loop: M is initialized and M is updated
for col = 0 to C-1
rand = H.duplexing_
M = M ^ rand
M = M ^
# Rows to be revisited in next loop
prev0 = row0
prev1 = row1
row1 = % wnd
# Window fully revisited
if
# Doubles window and adjusts step
wnd = 2 * wnd
stp = sqrt + gap
gap = -gap
# Doubles sqrt every other iteration
if
sqrt = 2 * sqrt
- ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix
- Visitation Loop: rows revisited in pseudorandom fashion
# Picks pseudorandom rows
row0 = lsw % m_cost
row1 = lsw % m_cost
# Columns Loop: updates both M and M
for col = 0 to C-1
# Picks pseudorandom columns
col0 = lsw % C
col1 = lsw % C
rand = H.duplexing_
M = M ^ rand
M = M ^
# Next iteration revisits most recently updated rows
prev0 = row0
prev1 = row1
- ** Wrap-up phase: output computation
- Absorbs a final column with a full-round sponge
- Squeezes outlen bits with a full-round sponge
- Provides outlen-long bitstring as output
- *** Algorithm with parallelism ***
for col = 0 to C-1
M_i = H_i.squeeze_
for col = 0 to C-1
M_i = H_i.duplexing_
for col = 0 to C-1
M_i = H_i.duplexing_
# Filling Loop: initializes remainder rows
for row0 = 3 to
# Columns Loop: M_i is initialized and M_j is updated
for col = 0 to C-1
rand = H_i.duplexing_
M_i = M_i ^ rand
M_j = M_j ^
# Rows to be revisited in next loop
prev0 = row0
prevP = rowP
rowP = % wnd
# Window fully revisited
if
# Doubles window and adjusts step
wnd = 2 * wnd
stp = sqrt + gap
gap = -gap
# Doubles sqrt every other iteration
if
sqrt = 2 * sqrt
# Synchronize point
if
sync = sync +
j = % P
syncThreads
syncThreads
# ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix
wnd = m_cost /
sync = sqrt
off0 = 0
offP = wnd
# Visitation Loop: rows revisited in pseudorandom fashion
for wCount = 0 to
# Picks pseudorandom rows and slices
row0 = off0 +
rowP = offP +
j = lsw % P
# Columns Loop: update M_i
for col = 0 to C-1
# Picks pseudorandom column
col0 = lsw % C
rand = H_i.duplexing_
M_i = M_i ^ rand
# Next iteration revisits most recently updated rows
prev0 = row0
# Synchronize point
if
sync = sync + sqrt
swap
syncThreads
syncThreads
# ** Wrap-up phase: output computation
# Absorbs a final column with a full-round sponge
H_i.absorb
# Squeezes outlen bits with a full-round sponge
output_i = H_i.squeeze
- Provides outlen-long bitstring as output
Security analysis
Against Lyra2, the processing cost of attacks using of the amount of memory employed by a legitimate user is expected to be between and, the latter being a better estimate for, instead of the achieved when the amount of memory is, where is a user-defined parameter to define a processing time.This compares well to scrypt, which displays a cost of when the memory usage is, and with other solutions in the literature, for which the results are usually.
Nonetheless, in practice these solutions usually involve a value of lower than those attained with the Lyra2 for the same processing time.
Performance
The processing time obtained with a SSE single-core implementation of Lyra2 are illustrated in the hereby shown figure. This figure was extracted from, and is very similar of third-party benchmarks performed during the PHC context.The results depicted correspond to the average execution time of Lyra2 configured with,, bits, and different and settings, giving an overall idea of possible combinations of parameters and the corresponding usage of resources.
As shown in this figure, Lyra2 is able to execute in: less than 1 s while using up to 400 MB or up to 1 GB of memory ; or in less than 5 s with 1.6 GB.
All tests were performed on an Intel Xeon E5-2430 equipped with 48 GB of DRAM, running Ubuntu 14.04 LTS 64 bits, and the source code was compiled using gcc 4.9.2.