International Association for Cryptologic Research
It is a common wisdom that servers should better store the one-way hash of their clients' passwords, rather than storing the password in the clear. This paper introduces catena, a new one-way function for that purpose. Catena is memory-hard, which can hinder massively parallel attacks on cheap memory-constrained hardware, such as recent \"Graphical Processing Units\", GPUs. Furthermore, catena has been designed to resist cache-timing attacks. This distinguishes catena from scrypt, which may be sequentially memory-hard, but which the authors show to be vulnerable to cache-timing attacks.