Password Hashing Competition


July 20th, 2015: PHC winner and special recognitions announced.

The Password Hashing Competition (PHC) is an effort organized to identify new password hashing schemes in order to improve on the state-of-the-art (PBKDF2, scrypt, etc.), and to encourage the use of strong password protection. Applications include for example authentication to web services, PIN authentication on mobile devices, key derivation for full disk encryption, or private keys encryption.

Motivations behind the PHC include: (For more information on the topic of password hashing, a quick and comprehensive introduction is this presentation.)

To identify new password hashing schemes suitable for widespread adoption, the PHC follows the model of focused cryptographic competitions such as AES, eSTREAM, or SHA-3 (see the Cryptographic competitions website).

The PHC is organized by a panel of experts consisting of

Tony Arcieri (@bascule, Square)
Jean-Philippe Aumasson (@veorq, Kudelski Security)
Dmitry Chestnykh (@dchest, Coding Robots)
Jeremi Gosney (@jmgosney, Stricture Consulting Group)
Russell Graves (@bitweasil, Cryptohaze)
Matthew Green (@matthew_d_green, Johns Hopkins University)
Peter Gutmann (University of Auckland)
Pascal Junod (@cryptopathe, HEIG-VD)
Poul-Henning Kamp (FreeBSD)
Stefan Lucks (Bauhaus-Universität Weimar)
Samuel Neves (@sevenps, University of Coimbra)
Colin Percival (@cperciva, Tarsnap)
Alexander Peslyak (@solardiz, Openwall)
Marsh Ray (@marshray, Microsoft)
Jens Steube (@hashcat, Hashcat project)
Steve Thomas (@Sc00bzT, TobTu)
Meltem Sonmez Turan (NIST)
Zooko Wilcox-O'Hearn (@zooko, Least Authority Enterprises)
Christian Winnerlein (@codesinchaos, Pactas)
Elias Yarrkov (@yarrkov)

These experts are responsible for the selection of a portfolio of schemes, based on the public contribution and on their assessment of the submissions received. They will be permitted to submit schemes.

The PHC is organized by a group of individuals, not by a standardization body. However this does not exclude the future standardization of one or more of the schemes selected.

The PHC is expected to rely in great part on contributions from the public, including for third-party implementations, cryptanalytic attacks, and optimized GPU or hardware crackers.