Date: Mon, 23 Mar 2015 15:07:34 +0100
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
To: discussions@...sword-hashing.net
Subject: PHC: survey and benchmarks

This just appeared: http://eprint.iacr.org/2015/265

Abstract:
Password hashing is the common approach for maintaining users'
password-related information that is later used for authentication. A
hash for each password is calculated and maintained at the service
provider end. When a user logins the service, the hash of the given
password is computed and contrasted with the stored hash. If the two
hashes match, the authentication is successful. However, in many cases
the passwords are just hashed by a cryptographic hash function or even
stored in clear. These poor password protection practises have lead to
efficient attacks that expose the users' passwords. PBKDF2 is the only
standardized construction for password hashing. Other widely used
primitives are bcrypt and scrypt. The low variety of methods derive
the international cryptographic community to conduct the Password
Hashing Competition (PHC). The competition aims to identify new
password hashing schemes suitable for widespread adoption. It started
in 2013 with 22 active submissions. Nine finalists are announced
during 2014. In 2015, a small portfolio of schemes will be proposed.
This paper provides the first survey and benchmark analysis of the 22
proposals. All proposals are evaluated on the same platform over a
common benchmark suite. We measure the execution time, code size and
memory consumption of PBKDF2, bcrypt, scrypt, and the 22 PHC schemes.
The first round results are summarized along with a benchmark analysis
that is focused on the nine finalists and contributes to the final
selection of the winners.

Powered by blists - more mailing lists