RiffleScrambler - a memory-hard password storing function

TL;DR

RiffleScrambler is a novel memory-hard password hashing function that generates unique graphs per salt, enhancing resistance to parallel attacks while maintaining efficiency and proven memory hardness.

Contribution

It introduces a new graph-based, data-independent memory-hard function with salt-dependent graphs, improving security against parallel attacks compared to prior methods.

Findings

Proves memory hardness in the random oracle model.

Achieves better efficiency than Balloon Hashing.

Provides higher immunity against practical parallel attacks.

Abstract

We introduce RiffleScrambler: a new family of directed acyclic graphs and a corresponding data-independent memory hard function with password independent memory access. We prove its memory hardness in the random oracle model. RiffleScrambler is similar to Catena -- updates of hashes are determined by a graph (bit-reversal or double-butterfly graph in Catena). The advantage of the RiffleScrambler over Catena is that the underlying graphs are not predefined but are generated per salt, as in Balloon Hashing. Such an approach leads to higher immunity against practical parallel attacks. RiffleScrambler offers better efficiency than Balloon Hashing since the in-degree of the underlying graph is equal to 3 (and is much smaller than in Ballon Hashing). At the same time, because the underlying graph is an instance of a Superconcentrator, our construction achieves the same time-memory trade-offs.