Password hashing

Joseph Ashwood ashwood at
Sat Oct 13 18:21:28 EDT 2007

----- Original Message ----- 
From: "Jim Gellman" <jim at>
To: "Joseph Ashwood" <ashwood at>
Cc: "Cryptography" <cryptography at>
Sent: Saturday, October 13, 2007 1:25 PM
Subject: Re: Password hashing

> I'm not sure I follow your notation.  Are you saying that IV[n] is the
> n'th application of the compression function?
No, each application of the HMAC is seperate, this is to incur the 
finalization penalty in the computation. if you want it closer to 
for(n iterations)
    IV = HMAC(key=IV, data=USERID||PASSWORD)

Why put each field in
> it's own block?

It really is to incur as many necessary performance penalties as possible. 
The HMAC keying requires 2 compressions, then the USERID||PASSWORD 
formatting can be created to make it consistently 2 more compressions, and a 
finalization per round.

More inflation is of course possible, but I don't think it is reasonable, 
too much possibility of stretching too far, giving too much leverage for an 
attack on the compression function (i.e. the more times you use the 
compression function the more likely a shortcut exists, but by resetting the 
state such attacks become much less likely).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list