Optimization of PBKDF2-HMAC-SHA256 and PBKDF2-HMAC-LSH256 in CPU Environments

Abstract

Password-Based Key-Derivation Function 2 (PBKDF2) is commonly employed to derive secure keys from a password in real life such as file encryption and implementation of authentication systems. Nevertheless, owing to the limited entropy of the password, the security of the generated keys is lower than that of the normally generated keys. To address this, issue increase the number of iterative operations during the PBKDF2 may increase. However, the higher the number of iterative operations, the more time it takes to generate the key. This paper presents various techniques for optimizing the performance of PBKDF2. The main idea of our proposed methods is to reduce redundant block operations and to optimize Pseudo Random Function (PRF) itself by combining operations and making full use of fixed values within PBKDF2. As the underlying hash function in PRF, we utilize two algorithms: Hash-based Message Authentication Code-Secure Hash Algorithm 256 (HMAC-SHA256) and HMAC-Lightweight Secure Hash 256 (HMAC-LSH256) (SHA256 is the most widely used hash function and LSH256 was recently developed hash function in South Korea). With the proposed techniques, the proposed implementation of PBKDF2-HMAC-SHA256 provides a performance enhancement of about 135.27% over the reference implementation provided by Korea Internet & Security Agency (KISA) and about 80.21% over OpenSSL. Concerning PBKDF2-HMAC-LSH256, the proposed implementation provides a huge performance enhancement of about 330.48% over the reference implementation provided by KISA. With the proposed implementation, more iteration operations can be possible for higher security. Furthermore, we can use the proposed techniques to optimize PBKDF2 performance on embedded MCUs.