RiffleScrambler - a memory-hard password storing function
This work addresses security vulnerabilities in password storage for systems requiring resistance to parallel attacks, representing an incremental improvement over prior functions like Catena and Balloon Hashing.
The authors tackled the problem of designing a memory-hard password storing function by introducing RiffleScrambler, which uses salt-generated directed acyclic graphs to achieve higher immunity against parallel attacks and better efficiency than existing methods like Balloon Hashing, with proven memory hardness in the random oracle model.
We introduce RiffleScrambler: a new family of directed acyclic graphs and a corresponding data-independent memory hard function with password independent memory access. We prove its memory hardness in the random oracle model. RiffleScrambler is similar to Catena -- updates of hashes are determined by a graph (bit-reversal or double-butterfly graph in Catena). The advantage of the RiffleScrambler over Catena is that the underlying graphs are not predefined but are generated per salt, as in Balloon Hashing. Such an approach leads to higher immunity against practical parallel attacks. RiffleScrambler offers better efficiency than Balloon Hashing since the in-degree of the underlying graph is equal to 3 (and is much smaller than in Ballon Hashing). At the same time, because the underlying graph is an instance of a Superconcentrator, our construction achieves the same time-memory trade-offs.