Lyra2

Lyra2 is a key derivation function (KDF), also called password hashing scheme (PHS), that received a special recognition during the Password Hashing Competition in July 2015. It was designed by Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos, and Paulo S. L. M. Barreto from Escola Politécnica da Universidade de São Paulo.

Lyra2 is an improvement of Lyra, previously proposed by the same authors. Lyra2 preserves the security, efficiency and flexibility of its predecessor, including: (1) the ability to configure the desired amount of memory, processing time and parallelism to be used by the algorithm; and (2) the capacity of providing a high memory usage with a processing time similar to that obtained with scrypt. In addition, it brings important improvements when compared to its predecessor:

Lyra2 is released under a public domain, and provides two main extensions:

This algorithm enables parameterization in terms of:

As any PHS, Lyra2 takes as input a salt and a password, creating a pseudorandom output that can then be used as key material for cryptographic algorithms or as an string.

Internally, the scheme's memory is organized as a matrix that is expected to remain in memory during the whole password hashing process: since its cells are iteratively read and written, discarding a cell for saving memory leads to the need of recomputing it whenever it is accessed once again, until the point it was last modified.

The construction and visitation of the matrix is done using a stateful combination of the absorbing, squeezing and duplexing operations of the underlying sponge (i.e., its internal state is never reset to zero), ensuring the sequential nature of the whole process.

Also, the number of times the matrix's cells are revisited after initialization is defined by the user, allowing Lyra2's execution time to be fine-tuned according to the target platform's resources.

Against Lyra2, the processing cost of attacks using ${\displaystyle 1/2^{n+2}}$ of the amount of memory employed by a legitimate user is expected to be between ${\displaystyle O(2^{2nT}R^{3})}$ and ${\displaystyle O(2^{2nT}R^{n+2})}$, the latter being a better estimate for ${\displaystyle n\gg 1}$, instead of the ${\displaystyle O(R)}$ achieved when the amount of memory is ${\displaystyle O(R)}$, where ${\displaystyle T}$ is a user-defined parameter to define a processing time.

...
Wikipedia