Catena Variants: Different Instantiations for an Extremely Flexible Password-Hashing Framework
Author(s): Stefan Lucks, Jakob Wenzel

Date: December 2015
Publication: 9th International Conference on Passwords (Passwords15 London). Lecture Notes in Computer Science, Volume 9551
Page(s): 95 - 119
Publisher: Springer
Source 1: https://dx.doi.org/10.1007/978-3-319-29938-9_7 - Subscription or payment required

Abstract or Summary:
Catena is a password-scrambling framework characterized by its high flexibility. The user (defender) can simply adapt the underlying (cryptographic) primitives, the underlying memory-hard function, and the time ( $$\lambda$$) and memory (garlic) parameters, to render it suitable for a wide range of applications. This enables Catena to maximize the defense against specific adversaries, their capabilities and goals, and to cope with a high variation of hardware and constraints on the side of the defender. Catena has obtained special recognition of the Password Hashing Competition (PHC), alongside of the winner Argon2.

In addition to the default instantiations presented in the PHC submission, we want to use this document to introduce further variants of Catena, or rather, further instantiations of the Catena framework. Our instantiations use different hash functions, and we evaluate their influence on the computational time and the throughput. Next, we discuss how instantiations of the memory-hard graph-based algorithm influence the computational time and resistance against low-memory attacks. Furthermore, we introduce possible extensions of Catena accommodating strong resistance against GPU- and ASIC-based adversaries, e.g., by providing sequential memory-hardness due to a data-dependent indexing function. At the end, we combine particular instantiations discussed so far to construct full-fledged variants of Catena for certain goals. Hence, this document can be seen as an additional guide to the PHC submission of Catena when considering its usage under certain restrictions.