PHC status report

First published on February 3, 2015, by the PHC panel

The Password Hashing Competition (PHC) is a project aiming to identify new password hashing schemes in order to improve on the state-of-the-art and to encourage the use of strong password protection.  In March 2014, PHC received 24 complete submissions. Based on the discussions on the public and private mailing lists, finalists of the competition are announced on December 8, 2014.

This report provides rationale on the selection of the nine PHC finalists, which are Argon, battcrypt, Catena, Lyra2, Makwa, Parallel, POMELO, Pufferfish, yescrypt.

Selection criteria including, in no particular order:

We attempted to include algorithms relevant for most applications of a password hashing scheme, from web service authentication to client login or key derivation. We also believed that having diversity in the finalists is beneficial, therefore selected algorithms of different types and suitable for different applications.

Below we provide comments about each of the 24 submissions, to help understand our decisions. Due to limited time and resources, we succinctly report the main reasons that motivated our selection or non-selection as a finalist.

We thank all submitters for their contribution. Comments and questions may be sent to the public PHC mailing list or to panel@password-hashing.net.

It is planned that the PHC winner(s) be announced in Q2 2015.

Finalists

Below we list specific properties that motivated our selection of the finalists. This is not to say the finalists are free of drawbacks (we are aware of many) or defects. It's just that in this brief report we list some of what motivated our choice in favor of the finalists, rather than against.

Argon

battcrypt

Catena

Lyra2

Makwa

Parallel

POMELO

Pufferfish

yescrypt

Non-finalists

Given that diversity was among our criteria for selection of finalists, non-selection of a submission does not necessarily imply that we found the submission less suitable than all of those we selected as finalists—in some cases, the non-finalist submission merely received considerably less support by the panel than other submissions that we felt were competing in the same category (targeting the same use cases and/or offering the same kind of defenses). Without what we deemed a more suitable submission in a (loosely defined) category, some of these non-finalist submissions could have been selected. Besides, a number of non-finalists contributed original or interesting ideas, and this contributed to our understanding of what constitutes a password hashing scheme suited for practical applications. That said, we actually found many non-finalists less mature, less analyzed, and generally less understood than most of the finalists.

Below we point out specific properties or defects that motivated our choice. This is not to say the non-finalists lack advantages (we are aware of many). It's just that in this brief report we list some of what motivated our choice against the non-finalists, rather than in favor.

AntCrypt

Catfish

Centrifuge

EARWORM

Gambit

Lanarea

M3lcrypt

MCS_PHS

OmegaCrypt

PolyPassHash

RIG

Schvrch

Tortuga

TwoCats

Yarn