This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these template messages)
|
Lyra2 is a password hashing scheme (PHS) that can also function as a key derivation function (KDF). It gained recognition during the Password Hashing Competition in July 2015, [1] which was won by Argon2. It is also used in proof-of-work algorithms such as Lyra2REv2, [2] adopted by Vertcoin [3] and MonaCoin, [4] among other cryptocurrencies. [5]
Lyra2 was designed by Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos, and Paulo S. L. M. Barreto from Escola Politécnica da Universidade de São Paulo. [6] It is based on Lyra, [7] [8] which had been created by the same team. Lyra2 includes:
In addition, it: [9]
Lyra2 is released into the public domain][ citation needed ].
As any PHS, Lyra2 takes as input a salt and a password, creating a pseudorandom output that can then be used as key material for cryptographic algorithms or as an authentication string. [10] [ failed verification ][ citation needed ]
Internally, the scheme's memory is organized as a matrix that is expected to remain in memory during the whole password hashing process. Since its cells are iteratively read and written, discarding a cell for saving memory leads to the need of recomputing it whenever it is accessed once again, until the point it was last modified. [5]
The construction and visitation of the matrix is done using a stateful combination of the absorbing, squeezing and duplexing operations of the underlying sponge (i.e., its internal state is never reset to zero), ensuring the sequential nature of the whole process.
Also, the number of times the matrix's cells are revisited after initialization is defined by the user, allowing Lyra2's execution time to be fine-tuned according to the target platform's resources.
The algorithm additionally enables parameterization in terms of: [11]
||
^
[+]
%
W
omega
>>>
rho
blen
H or H_i
H.absorb(input)
H.squeeze(len)
H.squeeze_{rho}(len)
H.duplexing(input,len)
H.duplexing_{rho}(input,len)
pad(string)
lsw(input)
len(string)
syncThreads()
swap(input1,input2)
C
P
P >= 1
and (m_cost/2) % P == 0
)** Bootstrapping phase: Initializes the sponge's state and local variables # Byte representation of input parameters (others can be added) params = outlen || len(password) || len(salt) || t_cost || m_cost || C # Initializes the sponge's state (after that, password can be overwritten) H.absorb( pad(password || salt || params) ) # Initializes visitation step, window and first rows that will feed gap = 1 stp = 1 wnd = 2 sqrt = 2 prev0 = 2 row1 = 1 prev1 = 0 ** Setup phase: Initializes a (m_cost x C) memory matrix, its cells having blen-byte cells # Initializes M[0], M[1] and M[2] for col = 0 to C-1 M[0][C-1-col] = H.squeeze_{rho}(blen) for col = 0 to C-1 M[1][C-1-col] = H.duplexing_{rho}( M[0][col], blen) for col = 0 to C-1 M[2][C-1-col] = H.duplexing_{rho}( M[1][col], blen) # Filling Loop: initializes remainder rows for row0 = 3 to m_cost-1 # Columns Loop: M[row0] is initialized and M[row1] is updated for col = 0 to C-1 rand = H.duplexing_{rho}( M[row1][col] [+] M[prev0][col] [+] M[prev1][col], blen) M[row0][C-1-col] = M[prev0][col] ^ rand M[row1][col] = M[row1][col] ^ ( rand >>> omega ) # Rows to be revisited in next loop prev0 = row0 prev1 = row1 row1 = (row1 + stp) % wnd # Window fully revisited if (row1 = 0) # Doubles window and adjusts step wnd = 2 * wnd stp = sqrt + gap gap = -gap # Doubles sqrt every other iteration if (gap = -1) sqrt = 2 * sqrt ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix # Visitation Loop: (2 * m_cost * t_cost) rows revisited in pseudorandom fashion for wCount = 0 to ( (m_cost * t_cost) - 1) # Picks pseudorandom rows row0 = lsw(rand) % m_cost row1 = lsw( rand >>> omega ) % m_cost # Columns Loop: updates both M[row0] and M[row1] for col = 0 to C-1 # Picks pseudorandom columns col0 = lsw( ( rand >>> omega ) >>> omega ) % C col1 = lsw( ( ( rand >>> omega ) >>> omega ) >>> omega ) % C rand = H.duplexing_{rho}( M[row0][col] [+] M[row1][col] [+] M[prev0][col0] [+] M[prev1][col1], blen) M[row0][col] = M[row0][col] ^ rand M[row1][col] = M[row1][col] ^ ( rand >>> omega ) # Next iteration revisits most recently updated rows prev0 = row0 prev1 = row1 ** Wrap-up phase: output computation # Absorbs a final column with a full-round sponge H.absorb( M[row0][0] ) # Squeezes outlen bits with a full-round sponge output = H.squeeze(outlen) # Provides outlen-long bitstring as output return output
for each i in [0..P] ** Bootstrapping phase: Initializes the sponge's state and local variables # Byte representation of input parameters (others can be added) params = outlen || len(password) || len(salt) || t_cost || m_cost || C || P || i # Initializes the sponge's state (after that, password can be overwritten) H_i.absorb( pad(password || salt || params) ) # Initializes visitation step, window and first rows that will feed gap = 1 stp = 1 wnd = 2 sqrt = 2 sync = 4 j = i prev0 = 2 rowP = 1 prevP = 0 ** Setup phase: Initializes a (m_cost x C) memory matrix, its cells having blen-byte cells # Initializes M_i[0], M_i[1] and M_i[2] for col = 0 to C-1 M_i[0][C-1-col] = H_i.squeeze_{rho}(blen) for col = 0 to C-1 M_i[1][C-1-col] = H_i.duplexing_{rho}( M_i[0][col], blen) for col = 0 to C-1 M_i[2][C-1-col] = H_i.duplexing_{rho}( M_i[1][col], blen) # Filling Loop: initializes remainder rows for row0 = 3 to ( (m_cost / P) - 1 ) # Columns Loop: M_i[row0] is initialized and M_j[row1] is updated for col = 0 to C-1 rand = H_i.duplexing_{rho}( M_j[rowP][col] [+] M_i[prev0][col] [+] M_j[prevP][col], blen) M_i[row0][C-1-col] = M_i[prev0][col] ^ rand M_j[rowP][col] = M_j[rowP][col] ^ ( rand >>> omega ) # Rows to be revisited in next loop prev0 = row0 prevP = rowP rowP = (rowP + stp) % wnd # Window fully revisited if (rowP = 0) # Doubles window and adjusts step wnd = 2 * wnd stp = sqrt + gap gap = -gap # Doubles sqrt every other iteration if (gap = -1) sqrt = 2 * sqrt # Synchronize point if (row0 = sync) sync = sync + (sqrt / 2) j = (j + 1) % P syncThreads() syncThreads() ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix wnd = m_cost / (2 * P) sync = sqrt off0 = 0 offP = wnd # Visitation Loop: (2 * m_cost * t_cost / P) rows revisited in pseudorandom fashion for wCount = 0 to ( ( (m_cost * t_cost) / P) - 1) # Picks pseudorandom rows and slices (j) row0 = off0 + (lsw(rand) % wnd) rowP = offP + (lsw( rand >>> omega ) % wnd) j = lsw( ( rand >>> omega ) >>> omega ) % P # Columns Loop: update M_i[row0] for col = 0 to C-1 # Picks pseudorandom column col0 = lsw( ( ( rand >>> omega ) >>> omega ) >>> omega ) % C rand = H_i.duplexing_{rho}( M_i[row0][col] [+] M_i[prev0][col0] [+] M_j[rowP][col], blen) M_i[row0][col] = M_i[row0][col] ^ rand # Next iteration revisits most recently updated rows prev0 = row0 # Synchronize point if (wCount = sync) sync = sync + sqrt swap(off0,offP) syncThreads() syncThreads() ** Wrap-up phase: output computation # Absorbs a final column with a full-round sponge H_i.absorb( M_i[row0][0] ) # Squeezes outlen bits with a full-round sponge output_i = H_i.squeeze(outlen) # Provides outlen-long bitstring as output return output_0 ^ ... ^ output_{P-1}
Against Lyra2, the processing cost of attacks using of the amount of memory employed by a legitimate user is expected to be between and , the latter being a better estimate for , instead of the achieved when the amount of memory is , where is a user-defined parameter to define a processing time.
This compares well to Scrypt, which displays a cost of when the memory usage is high, [12] and with other solutions in the literature, for which the results are usually . [7] [13] [14] [15]
Nonetheless, in practice these solutions usually involve a value of (memory usage) lower than those attained with the Lyra2 for the same processing time. [16] [17] [18] [19] [20]
The processing time obtained with an SSE single-core implementation of Lyra2 is illustrated in the hereby shown figure. This figure was extracted from, [9] and is very similar to, third-party benchmarks performed during the PHC context. [16] [17] [18] [19] [20]
The results depicted correspond to the average execution time of Lyra2 configured with , , bits (i.e., the inner state has 256 bits), and different and settings, giving an overall idea of possible combinations of parameters and the corresponding usage of resources.
As shown in this figure, Lyra2 is able to execute in: less than 1 s while using up to 400 MB (with and ) or up to 1 GB of memory (with and ); or in less than 5 s with 1.6 GB (with and ).
All tests were performed on an Intel Xeon E5-2430 (2.20 GHz with 12 Cores, 64 bits) equipped with 48 GB of DRAM, running Ubuntu 14.04 LTS 64 bits, and the source code was compiled using GCC 4.9.2. [9]
Lyra offers two main extensions: [11]
In electromagnetism, skin effect is the tendency of an alternating electric current (AC) to become distributed within a conductor such that the current density is largest near the surface of the conductor and decreases exponentially with greater depths in the conductor. It is caused by opposing eddy currents induced by the changing magnetic field resulting from the alternating current. The electric current flows mainly at the skin of the conductor, between the outer surface and a level called the skin depth.
Plasma oscillations, also known as Langmuir waves, are rapid oscillations of the electron density in conducting media such as plasmas or metals in the ultraviolet region. The oscillations can be described as an instability in the dielectric function of a free electron gas. The frequency depends only weakly on the wavelength of the oscillation. The quasiparticle resulting from the quantization of these oscillations is the plasmon.
The Friedmann equations, also known as the Friedmann–Lemaître (FL) equations, are a set of equations in physical cosmology that govern the expansion of space in homogeneous and isotropic models of the universe within the context of general relativity. They were first derived by Alexander Friedmann in 1922 from Einstein's field equations of gravitation for the Friedmann–Lemaître–Robertson–Walker metric and a perfect fluid with a given mass density ρ and pressure p. The equations for negative spatial curvature were given by Friedmann in 1924.
The Kerr–Newman metric describes the spacetime geometry around a mass which is electrically charged and rotating. It is a vacuum solution which generalizes the Kerr metric by additionally taking into account the energy of an electromagnetic field, making it the most general asymptotically flat and stationary solution of the Einstein–Maxwell equations in general relativity. As an electrovacuum solution, it only includes those charges associated with the magnetic field; it does not include any free electric charges.
In seismology and other areas involving elastic waves, S waves, secondary waves, or shear waves are a type of elastic wave and are one of the two main types of elastic body waves, so named because they move through the body of an object, unlike surface waves.
In mathematics, the Eisenstein integers, occasionally also known as Eulerian integers, are the complex numbers of the form
In the mathematical description of general relativity, the Boyer–Lindquist coordinates are a generalization of the coordinates used for the metric of a Schwarzschild black hole that can be used to express the metric of a Kerr black hole.
The Kuramoto model, first proposed by Yoshiki Kuramoto, is a mathematical model used in describing synchronization. More specifically, it is a model for the behavior of a large set of coupled oscillators. Its formulation was motivated by the behavior of systems of chemical and biological oscillators, and it has found widespread applications in areas such as neuroscience and oscillating flame dynamics. Kuramoto was quite surprised when the behavior of some physical systems, namely coupled arrays of Josephson junctions, followed his model.
LOCC, or local operations and classical communication, is a method in quantum information theory where a local (product) operation is performed on part of the system, and where the result of that operation is "communicated" classically to another part where usually another local operation is performed conditioned on the information received.
A Maclaurin spheroid is an oblate spheroid which arises when a self-gravitating fluid body of uniform density rotates with a constant angular velocity. This spheroid is named after the Scottish mathematician Colin Maclaurin, who formulated it for the shape of Earth in 1742. In fact the figure of the Earth is far less oblate than Maclaurin's formula suggests, since the Earth is not homogeneous, but has a dense iron core. The Maclaurin spheroid is considered to be the simplest model of rotating ellipsoidal figures in hydrostatic equilibrium since it assumes uniform density.
In mathematics, the generalized minimal residual method (GMRES) is an iterative method for the numerical solution of an indefinite nonsymmetric system of linear equations. The method approximates the solution by the vector in a Krylov subspace with minimal residual. The Arnoldi iteration is used to find this vector.
In quantum mechanics, notably in quantum information theory, fidelity quantifies the "closeness" between two density matrices. It expresses the probability that one state will pass a test to identify as the other. It is not a metric on the space of density matrices, but it can be used to define the Bures metric on this space.
In probability theory and statistics, partial correlation measures the degree of association between two random variables, with the effect of a set of controlling random variables removed. When determining the numerical relationship between two variables of interest, using their correlation coefficient will give misleading results if there is another confounding variable that is numerically related to both variables of interest. This misleading information can be avoided by controlling for the confounding variable, which is done by computing the partial correlation coefficient. This is precisely the motivation for including other right-side variables in a multiple regression; but while multiple regression gives unbiased results for the effect size, it does not give a numerical value of a measure of the strength of the relationship between the two variables of interest.
A hydrogen-like atom (or hydrogenic atom) is any atom or ion with a single valence electron. These atoms are isoelectronic with hydrogen. Examples of hydrogen-like atoms include, but are not limited to, hydrogen itself, all alkali metals such as Rb and Cs, singly ionized alkaline earth metals such as Ca+ and Sr+ and other ions such as He+, Li2+, and Be3+ and isotopes of any of the above. A hydrogen-like atom includes a positively charged core consisting of the atomic nucleus and any core electrons as well as a single valence electron. Because helium is common in the universe, the spectroscopy of singly ionized helium is important in EUV astronomy, for example, of DO white dwarf stars.
SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.
An LC circuit can be quantized using the same methods as for the quantum harmonic oscillator. An LC circuit is a variety of resonant circuit, and consists of an inductor, represented by the letter L, and a capacitor, represented by the letter C. When connected together, an electric current can alternate between them at the circuit's resonant frequency:
In cryptography, scrypt is a password-based key derivation function created by Colin Percival in March 2009, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly to perform large-scale custom hardware attacks by requiring large amounts of memory. In 2016, the scrypt algorithm was published by IETF as RFC 7914. A simplified version of scrypt is used as a proof-of-work scheme by a number of cryptocurrencies, first implemented by an anonymous programmer called ArtForz in Tenebrix and followed by Fairbrix and Litecoin soon after.
In cryptography, a sponge function or sponge construction is any of a class of algorithms with finite internal state that take an input bit stream of any length and produce an output bit stream of any desired length. Sponge functions have both theoretical and practical uses. They can be used to model or implement many cryptographic primitives, including cryptographic hashes, message authentication codes, mask generation functions, stream ciphers, pseudo-random number generators, and authenticated encryption.
Quantum stochastic calculus is a generalization of stochastic calculus to noncommuting variables. The tools provided by quantum stochastic calculus are of great use for modeling the random evolution of systems undergoing measurement, as in quantum trajectories. Just as the Lindblad master equation provides a quantum generalization to the Fokker–Planck equation, quantum stochastic calculus allows for the derivation of quantum stochastic differential equations (QSDE) that are analogous to classical Langevin equations.
In quantum mechanics, a Dirac membrane is a model of a charged membrane introduced by Paul Dirac in 1962. Dirac's original motivation was to explain the mass of the muon as an excitation of the ground state corresponding to an electron. Anticipating the birth of string theory by almost a decade, he was the first to introduce what is now called a type of Nambu–Goto action for membranes.