Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Lyra2
open-in-new
<h2 id="design">Design</h2> <p>As any PHS, Lyra2 takes as input a <a href="/facts/Salt_(cryptography)/9g6l177I">salt</a> and a password, creating a <a href="/facts/Pseudorandomness/kfs1wfhY">pseudorandom</a> output that can then be used as key material for cryptographic algorithms or as an <a href="/facts/Authentication_protocol/pcX97lnA">authentication</a> string.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> </p><p>Internally, the scheme's memory is organized as a matrix that is expected to remain in memory during the whole password hashing process. Since its cells are iteratively read and written, discarding a cell for saving memory leads to the need of recomputing it whenever it is accessed once again, until the point it was last modified.<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a> </p><p>The construction and visitation of the matrix is done using a stateful combination of the absorbing, squeezing and duplexing operations of the underlying <a href="/facts/Sponge_function/DA3BT6Ss">sponge</a> (i.e., its internal state is never reset to zero), ensuring the sequential nature of the whole process. </p><p>Also, the number of times the matrix's cells are revisited after initialization is defined by the user, allowing Lyra2's execution time to be fine-tuned according to the target platform's resources. </p> <h3>Inputs</h3> <ul><li>password</li> <li>salt</li> <li>t_cost - execution time</li> <li>m_cost - memory required</li> <li>outlen</li></ul> <p>The algorithm additionally enables parameterization in terms of:<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> </p> <ul><li>degree of parallelism (number of <a href="/facts/Thread_(computing)/hh8WHyPd">threads</a> p {\displaystyle p} )</li> <li>underlying permutation function (can be seen as the main cryptographic primitive)</li> <li>number of blocks used by the underlying permutation function (<i>bitrate</i>)</li> <li>number of rounds performed for the underlying permutation function ( ρ {\displaystyle \rho } )</li> <li>number of bits to be used in rotations ( ω {\displaystyle \omega } )</li> <li>output length( κ {\displaystyle \kappa } )</li></ul> <h3>Functions/symbols</h3> || Concatenate two strings ^ Bitwise XOR [+] Word wise add operation (i.e., ignoring carries between words) % Modulus W The target machine's word size (usually, 32 or 64) omega Number of bits to be used in rotations (recommended: a multiple of the machine's word size, W) >>> Right rotation rho Number of rounds for reduced squeeze or duplexing operations blen Sponge's block size in bytes H or H_i Sponge with block size blen (in bytes) and underlying permutation f H.absorb(input) Sponge's absorb operation on input H.squeeze(len) Sponge's squeeze operation of len bytes H.squeeze_{rho}(len) Sponge's squeeze operation of len bytes using rho rounds of f H.duplexing(input,len) Sponge's duplexing operation on input, producing len bytes H.duplexing_{rho}(input,len) Sponge's duplexing operation on input, using rho rounds of f, producing len bytes pad(string) Pads a string to a multiple of blen bytes (padding rule: 10*1) lsw(input) The least significant word of input len(string) Length of a string, in bytes syncThreads() Synchronize parallel threads swap(input1,input2) Swap the value of two inputs C Number of columns on the memory matrix (usually, 64, 128, 256, 512 or 1024) P Degree of parallelism (P >= 1 and (m_cost/2) % P == 0) <h3>Algorithm without parallelism</h3> ** Bootstrapping phase: Initializes the sponge's state and local variables # Byte representation of input parameters (others can be added) params = outlen || len(password) || len(salt) || t_cost || m_cost || C # Initializes the sponge's state (after that, password can be overwritten) H.absorb( pad(password || salt || params) ) # Initializes visitation step, window and first rows that will feed gap = 1 stp = 1 wnd = 2 sqrt = 2 prev0 = 2 row1 = 1 prev1 = 0 ** Setup phase: Initializes a (m_cost x C) memory matrix, its cells having blen-byte cells # Initializes M[0], M[1] and M[2] for col = 0 to C-1 M[0][C-1-col] = H.squeeze_{rho}(blen) for col = 0 to C-1 M[1][C-1-col] = H.duplexing_{rho}( M[0][col], blen) for col = 0 to C-1 M[2][C-1-col] = H.duplexing_{rho}( M[1][col], blen) # Filling Loop: initializes remainder rows for row0 = 3 to m_cost-1 # Columns Loop: M[row0] is initialized and M[row1] is updated for col = 0 to C-1 rand = H.duplexing_{rho}( M[row1][col] [+] M[prev0][col] [+] M[prev1][col], blen) M[row0][C-1-col] = M[prev0][col] ^ rand M[row1][col] = M[row1][col] ^ ( rand >>> omega ) # Rows to be revisited in next loop prev0 = row0 prev1 = row1 row1 = (row1 + stp) % wnd # Window fully revisited if (row1 = 0) # Doubles window and adjusts step wnd = 2 * wnd stp = sqrt + gap gap = -gap # Doubles sqrt every other iteration if (gap = -1) sqrt = 2 * sqrt ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix # Visitation Loop: (2 * m_cost * t_cost) rows revisited in pseudorandom fashion for wCount = 0 to ( (m_cost * t_cost) - 1) # Picks pseudorandom rows row0 = lsw(rand) % m_cost row1 = lsw( rand >>> omega ) % m_cost # Columns Loop: updates both M[row0] and M[row1] for col = 0 to C-1 # Picks pseudorandom columns col0 = lsw( ( rand >>> omega ) >>> omega ) % C col1 = lsw( ( ( rand >>> omega ) >>> omega ) >>> omega ) % C rand = H.duplexing_{rho}( M[row0][col] [+] M[row1][col] [+] M[prev0][col0] [+] M[prev1][col1], blen) M[row0][col] = M[row0][col] ^ rand M[row1][col] = M[row1][col] ^ ( rand >>> omega ) # Next iteration revisits most recently updated rows prev0 = row0 prev1 = row1 ** Wrap-up phase: output computation # Absorbs a final column with a full-round sponge H.absorb( M[row0][0] ) # Squeezes outlen bits with a full-round sponge output = H.squeeze(outlen) # Provides outlen-long bitstring as output return output <h3>Algorithm with parallelism</h3> for each i in [0..P] ** Bootstrapping phase: Initializes the sponge's state and local variables # Byte representation of input parameters (others can be added) params = outlen || len(password) || len(salt) || t_cost || m_cost || C || P || i # Initializes the sponge's state (after that, password can be overwritten) H_i.absorb( pad(password || salt || params) ) # Initializes visitation step, window and first rows that will feed gap = 1 stp = 1 wnd = 2 sqrt = 2 sync = 4 j = i prev0 = 2 rowP = 1 prevP = 0 ** Setup phase: Initializes a (m_cost x C) memory matrix, its cells having blen-byte cells # Initializes M_i[0], M_i[1] and M_i[2] for col = 0 to C-1 M_i[0][C-1-col] = H_i.squeeze_{rho}(blen) for col = 0 to C-1 M_i[1][C-1-col] = H_i.duplexing_{rho}( M_i[0][col], blen) for col = 0 to C-1 M_i[2][C-1-col] = H_i.duplexing_{rho}( M_i[1][col], blen) # Filling Loop: initializes remainder rows for row0 = 3 to ( (m_cost / P) - 1 ) # Columns Loop: M_i[row0] is initialized and M_j[row1] is updated for col = 0 to C-1 rand = H_i.duplexing_{rho}( M_j[rowP][col] [+] M_i[prev0][col] [+] M_j[prevP][col], blen) M_i[row0][C-1-col] = M_i[prev0][col] ^ rand M_j[rowP][col] = M_j[rowP][col] ^ ( rand >>> omega ) # Rows to be revisited in next loop prev0 = row0 prevP = rowP rowP = (rowP + stp) % wnd # Window fully revisited if (rowP = 0) # Doubles window and adjusts step wnd = 2 * wnd stp = sqrt + gap gap = -gap # Doubles sqrt every other iteration if (gap = -1) sqrt = 2 * sqrt # Synchronize point if (row0 = sync) sync = sync + (sqrt / 2) j = (j + 1) % P syncThreads() syncThreads() ** Wandering phase: Iteratively overwrites pseudorandom cells of the memory matrix wnd = m_cost / (2 * P) sync = sqrt off0 = 0 offP = wnd # Visitation Loop: (2 * m_cost * t_cost / P) rows revisited in pseudorandom fashion for wCount = 0 to ( ( (m_cost * t_cost) / P) - 1) # Picks pseudorandom rows and slices (j) row0 = off0 + (lsw(rand) % wnd) rowP = offP + (lsw( rand >>> omega ) % wnd) j = lsw( ( rand >>> omega ) >>> omega ) % P # Columns Loop: update M_i[row0] for col = 0 to C-1 # Picks pseudorandom column col0 = lsw( ( ( rand >>> omega ) >>> omega ) >>> omega ) % C rand = H_i.duplexing_{rho}( M_i[row0][col] [+] M_i[prev0][col0] [+] M_j[rowP][col], blen) M_i[row0][col] = M_i[row0][col] ^ rand # Next iteration revisits most recently updated rows prev0 = row0 # Synchronize point if (wCount = sync) sync = sync + sqrt swap(off0,offP) syncThreads() syncThreads() ** Wrap-up phase: output computation # Absorbs a final column with a full-round sponge H_i.absorb( M_i[row0][0] ) # Squeezes outlen bits with a full-round sponge output_i = H_i.squeeze(outlen) # Provides outlen-long bitstring as output return output_0 ^ ... ^ output_{P-1} <h2 id="security-analysis">Security analysis</h2> <p>Against Lyra2, the processing cost of attacks using 1 / 2 n + 2 {\displaystyle 1/2^{n+2}} of the amount of memory employed by a legitimate user is expected to be between O ( 2 2 n T R 3 ) {\displaystyle O(2^{2nT}R^{3})} and O ( 2 2 n T R n + 2 ) {\displaystyle O(2^{2nT}R^{n+2})} , the latter being a better estimate for n ≫ 1 {\displaystyle n\gg 1} , instead of the O ( R ) {\displaystyle O(R)} achieved when the amount of memory is O ( R ) {\displaystyle O(R)} , where T {\displaystyle T} is a user-defined parameter to define a processing time. </p><p>This compares well to <a href="/facts/Scrypt/StlAggdS">Scrypt</a>, which displays a cost of O ( R 2 ) {\displaystyle O(R^{2})} when the memory usage is high O ( 1 ) {\displaystyle O(1)} ,<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> and with other solutions in the literature, for which the results are usually O ( R T + 1 ) {\displaystyle O(R^{T+1})} .<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a><a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a><a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a><a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a> </p><p>Nonetheless, in practice these solutions usually involve a value of R {\displaystyle R} (memory usage) lower than those attained with the Lyra2 for the same processing time.<a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a><a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a><a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a><a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a><a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a> </p> <h2 id="performance">Performance</h2> <p>The processing time obtained with an SSE single-core implementation of Lyra2 is illustrated in the hereby shown figure. This figure was extracted from,<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a> and is very similar to, third-party benchmarks performed during the PHC context.<a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a><a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a><a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a><a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a><a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a> </p><p>The results depicted correspond to the average execution time of Lyra2 configured with C = 256 {\displaystyle C=256} , ρ = 1 {\displaystyle \rho =1} , b = 768 {\displaystyle b=768} bits (i.e., the inner state has 256 bits), and different T {\displaystyle T} and R {\displaystyle R} settings, giving an overall idea of possible combinations of parameters and the corresponding usage of resources. </p><p>As shown in this figure, Lyra2 is able to execute in: less than 1 s while using up to 400 MB (with R = 2 14 {\displaystyle R=2^{14}} and T = 5 {\displaystyle T=5} ) or up to 1 GB of memory (with R ≈ 4.2 ⋅ 10 4 {\displaystyle R\approx 4.2\cdot 10^{4}} and T = 1 {\displaystyle T=1} ); or in less than 5 s with 1.6 GB (with R = 2 16 {\displaystyle R=2^{16}} and T = 6 {\displaystyle T=6} ). </p><p>All tests were performed on an <a href="/facts/List_of_Intel_Xeon_microprocessors/4UVFb7S0">Intel Xeon E5-2430</a> (2.20 GHz with 12 Cores, 64 bits) equipped with 48 GB of <a href="/facts/Dynamic_random-access_memory/koI9FGo5">DRAM</a>, running <a href="/facts/Ubuntu_(operating_system)/0WDd7hkb">Ubuntu</a> 14.04 LTS 64 bits, and the source code was compiled using <a href="/facts/GNU_Compiler_Collection/t07jh01k">GCC</a> 4.9.2.<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a> </p> <h2 id="extensions">Extensions</h2> <p>Lyra offers two main extensions:<a class="footnote-ref" id="fnref:30" href="#fn:30"><sup>30</sup></a> </p> <ul><li>Lyra2-<i>δ</i>: Provides more control over the algorithm's bandwidth usage.</li> <li>Lyra2<i>p</i>: Takes advantage of <a href="/facts/Parallel_computing/nQzcpzQt">parallelism</a> capabilities on the user's platform.</li></ul> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Crypt_(C)/vugEECEV">crypt (C)</a></li> <li><a href="/facts/Yescrypt/tufKsBYs">yescrypt</a></li> <li><a href="/facts/Password_hashing/3jL2jTTb">Password hashing</a></li> <li><a href="/facts/Password_Hashing_Competition/tufKsBYs">Password Hashing Competition</a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://lyra-2.net/">Lyra2's website</a></li> <li><a href="https://github.com/leocalm/Lyra/">Lyra2 source code repository on Github</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"Password Hashing Competition". password-hashing.net. Retrieved 2016-03-22. <a href="https://password-hashing.net/" target="_blank">https://password-hashing.net/</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"Lyra2REv2". eprint.iacr.org. Retrieved 2016-03-22. <a href="https://en.bitcoinwiki.org/wiki/Lyra2REv2" target="_blank">https://en.bitcoinwiki.org/wiki/Lyra2REv2</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Vertcoin". vertcoin.org. Retrieved 2019-10-08. <a href="http://vertcoin.org" target="_blank">http://vertcoin.org</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"MonaCoin". monacoin.org. Retrieved 2019-10-08. <a href="https://monacoin.org" target="_blank">https://monacoin.org</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>van Beirendonck, M.; Trudeau, L.; Giard, P.; Balatsoukas-Stimming, A. (2019-05-29). A Lyra2 FPGA Core for Lyra2REv2-Based Cryptocurrencies. IEEE International Symposium on Circuits and Systems (ISCAS). Sapporo, Japan: IEEE. pp. 1–5. arXiv:1807.05764. doi:10.1109/ISCAS.2019.8702498. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"Cryptology ePrint Archive: Report 2015/136". eprint.iacr.org. Retrieved 2016-03-22. <a href="https://eprint.iacr.org/2015/136" target="_blank">https://eprint.iacr.org/2015/136</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Almeida, Leonardo C.; Andrade, Ewerton R.; Barreto, Paulo S. L. M.; Simplicio Jr, Marcos A. (2014-01-04). "Lyra: password-based key derivation with tunable memory and processing costs". Journal of Cryptographic Engineering. 4 (2): 75–89. CiteSeerX 10.1.1.642.8519. doi:10.1007/s13389-013-0063-5. ISSN 2190-8508. S2CID 5245769. <a href="/wiki/CiteSeerX_(identifier)" target="_blank">/wiki/CiteSeerX_(identifier)</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"Cryptology ePrint Archive: Report 2014/030". eprint.iacr.org. Retrieved 2016-03-22. <a href="https://eprint.iacr.org/2014/030" target="_blank">https://eprint.iacr.org/2014/030</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Andrade, E.; Simplicio Jr, M.; Barreto, P.; Santos, P. (2016-01-01). "Lyra2: efficient password hashing with high security against time-memory trade-offs". IEEE Transactions on Computers. PP (99): 3096–3108. doi:10.1109/TC.2016.2516011. ISSN 0018-9340. S2CID 37232444. <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Chen, Lily (2009). "Recommendation for Key Derivation Using Pseudorandom Functions (Revised)" (PDF). Computer Security. NIST. doi:10.6028/NIST.SP.800-108. <a href="http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf" target="_blank">http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>van Beirendonck, M.; Trudeau, L.; Giard, P.; Balatsoukas-Stimming, A. (2019-05-29). A Lyra2 FPGA Core for Lyra2REv2-Based Cryptocurrencies. IEEE International Symposium on Circuits and Systems (ISCAS). Sapporo, Japan: IEEE. pp. 1–5. arXiv:1807.05764. doi:10.1109/ISCAS.2019.8702498. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>Simplicio Jr, Marcos A.; Almeida, Leonardo C.; Andrade, Ewerton R.; Santos, Paulo C.; Barreto, Paulo S. L. M. "The Lyra2 reference guide" (PDF). PHC. The Password Hashing Competition. <a href="https://password-hashing.net/submissions/specs/Lyra2-v3.pdf" target="_blank">https://password-hashing.net/submissions/specs/Lyra2-v3.pdf</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>Percival, Colin. "Stronger Key Derivation via Sequential Memory-Hard Functions" (PDF). TARSNAP. The Technical BSD Conference. <a href="https://www.tarsnap.com/scrypt/scrypt.pdf" target="_blank">https://www.tarsnap.com/scrypt/scrypt.pdf</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>Almeida, Leonardo C.; Andrade, Ewerton R.; Barreto, Paulo S. L. M.; Simplicio Jr, Marcos A. (2014-01-04). "Lyra: password-based key derivation with tunable memory and processing costs". Journal of Cryptographic Engineering. 4 (2): 75–89. CiteSeerX 10.1.1.642.8519. doi:10.1007/s13389-013-0063-5. ISSN 2190-8508. S2CID 5245769. <a href="/wiki/CiteSeerX_(identifier)" target="_blank">/wiki/CiteSeerX_(identifier)</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>"Cryptology ePrint Archive: Report 2013/525". eprint.iacr.org. Retrieved 2016-03-22. <a href="https://eprint.iacr.org/2013/525" target="_blank">https://eprint.iacr.org/2013/525</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>Schmidt, Sascha. "Implementation of the Catena Password-Scrambling Framework" (PDF). Bauhaus-Universität Weimar. Faculty of Media. <a href="https://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Theses/sascha-schmidt-master-thesis-catena.pdf" target="_blank">https://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Theses/sascha-schmidt-master-thesis-catena.pdf</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>"P-H-C/phc-winner-argon2" (PDF). GitHub. Retrieved 2016-03-22. <a href="https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf" target="_blank">https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>"Gmane -- Another PHC candidates mechanical tests". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/2237" target="_blank">http://article.gmane.org/gmane.comp.security.phc/2237</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>"Gmane -- A review per day Lyra2". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1992" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1992</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>"Gmane -- Lyra2 initial review". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1596" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1596</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>"Gmane -- Memory performance and ASIC attacks". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1849" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1849</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>"Gmane -- Quick analysis of Argon". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1830" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1830</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>Andrade, E.; Simplicio Jr, M.; Barreto, P.; Santos, P. (2016-01-01). "Lyra2: efficient password hashing with high security against time-memory trade-offs". IEEE Transactions on Computers. PP (99): 3096–3108. doi:10.1109/TC.2016.2516011. ISSN 0018-9340. S2CID 37232444. <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>"Gmane -- Another PHC candidates mechanical tests". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/2237" target="_blank">http://article.gmane.org/gmane.comp.security.phc/2237</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>"Gmane -- A review per day Lyra2". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1992" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1992</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>"Gmane -- Lyra2 initial review". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1596" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1596</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>"Gmane -- Memory performance and ASIC attacks". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1849" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1849</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>"Gmane -- Quick analysis of Argon". article.gmane.org. Retrieved 2016-03-22. <a href="http://article.gmane.org/gmane.comp.security.phc/1830" target="_blank">http://article.gmane.org/gmane.comp.security.phc/1830</a> <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>Andrade, E.; Simplicio Jr, M.; Barreto, P.; Santos, P. (2016-01-01). "Lyra2: efficient password hashing with high security against time-memory trade-offs". IEEE Transactions on Computers. PP (99): 3096–3108. doi:10.1109/TC.2016.2516011. ISSN 0018-9340. S2CID 37232444. <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> <li id="fn:30"><p>Simplicio Jr, Marcos A.; Almeida, Leonardo C.; Andrade, Ewerton R.; Santos, Paulo C.; Barreto, Paulo S. L. M. "The Lyra2 reference guide" (PDF). PHC. The Password Hashing Competition. <a href="https://password-hashing.net/submissions/specs/Lyra2-v3.pdf" target="_blank">https://password-hashing.net/submissions/specs/Lyra2-v3.pdf</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></p></li> </ol>