3

When Argon2, Balloon, scrypt, bcrypt¹, PBKDF2… are used for a password, we can call them password hash (for password storage) or password-based key derivation function (for use in encryption).

But that might not be understood when the context involves no passwords. Purposely-slowed hash is more descriptive, but awkward, and I have seldom seen it.

Are there established alternatives? If not, what do you propose?

Addition: I wish the term would be usable for strengthening the $b$-bit hash of a $3b$-bit Schnorr signature against brute force preimage attack. In this usage, there's nothing secret involved.

¹ As rightly pointed in comment, bcrypt can only produce 192 bits of output, which makes is passable for password hashing or short keys, but not a general Key Derivation Function.

fgrieu
  • 149,326
  • 13
  • 324
  • 622

2 Answers2

3

1) I don't know any established alternatives.

2) It is not correct to say that such algorithms are purposely-slowed. They not only can be slowed, but also can use much memory. A single word for this would be resources. And I would stress even not resources, but rather the price, because the whole idea is to make the price prohibiting for attackers. I would suggest following terms:

  • Expensive hashing
  • Resource intensive
  • Resource demanding
  • Resource hard
  • Resource greedy
  • Resource hungry

I will put these terms each as a separate comment below my answer. Feel free to vote :) In a couple of weeks we'll see the result.

mentallurg
  • 2,661
  • 1
  • 17
  • 24
2

The term you're looking for may be key stretching. It refers specifically to the use of a deliberately slow component (typically a KDF) to increase the resistance of a cryptosystem to brute force key enumeration when the key material (such as a user-supplied password) may have only a limited amount of entropy.

The term comes from the fact that a key-stretching KDF can be thought of as taking a short (or just low-entropy) input key and "stretching" it into a longer key that behaves, in terms of its resistance to brute force attacks, as if it had more entropy than the original input key.

(Of course, the actual entropy of the key doesn't increase, but the slowness of the KDF slows down brute force guessing attacks just like additional entropy would. In effect, an attacker has two choices when trying to guess a stretched key: they can either try to guess the input key, which forces them to compute the slow KDF for each guess, or they can try to directly guess the output key, which is pseudorandomly chosen from a large key space.)

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189