1194:(like scrypt and argon2), rather than the fixed 4 KB memory footprint of bcrypt. Similar to scrypt or argon2, pufferfish2 gains its difficulty by using more memory. Unlike scrypt and argon2, pufferfish2 only operates in a CPU core's L2 cache. While scrypt and argon2 gain their memory hardness by randomly accessing lots of RAM, pufferfish2 limits itself to just the dedicated L2 cache available to a CPU core. This makes it even harder to implement in custom hardware than scrypt and argon2. The ideal memory footprint of pufferfish2 is the size of the cache available to a core (e.g. 1.25 MB for Intel Alder Lake) This makes pufferfish2 much more resistant to GPU or ASIC.
1184:: bcrypt is more lightweight than Argon2. This may pose a problem for some web applications where usage of Argon2 would require lowering the security parameters to an unacceptable level in order to still be performant. Specifically, Argon2 is less secure than bcrypt for run times less than 1 second (i.e., for common password authentication). Argon2 does not match or surpass bcrypt's strength until exceeding ≈1000ms runtimes. This may be unsuitable for password hashing, but is perfectly acceptable for key-derivation. In some cases, Argon2 is recommended over bcrypt, if the security parameters are high enough.
1370:
206:
salt and password are used to set all subkeys. There are then a number of rounds in which the standard
Blowfish keying algorithm is applied, using alternatively the salt and the password as the key, each round starting with the subkey state from the previous round. In theory, this is no stronger than the standard Blowfish key schedule, but the number of rekeying rounds is configurable; this process can therefore be made arbitrarily slow, which helps deter brute-force attacks upon the hash or salt.
3068:
1168:: pbkdf2 is weaker than bcrypt. The commonly used SHA2 hashing algorithm is not memory-hard. SHA2 is designed to be extremely lightweight so it can run on lightweight devices (e.g. smart cards). This means PBKDF2 is very weak for password storage, as commodity SHA-2 hashing hardware that can perform trillions of hashes per second is easily procured.
1111:
into numeric values for the algorithm. One brief comment in the text mentions, but does not mandate, the possibility of simply using the ASCII encoded value of a character string: "Finally, the key argument is a secret encryption key, which can be a user-chosen password of up to 56 bytes (including a
214:
The input to the bcrypt function is the password string (up to 72 bytes), a numeric cost, and a 16-byte (128-bit) salt value. The salt is typically a random value. The bcrypt function uses these inputs to compute a 24-byte (192-bit) hash. The final output of the bcrypt function is a string of the
205:
Provos and Mazières took advantage of this, and took it further. They developed a new key setup algorithm for
Blowfish, dubbing the resulting cipher "Eksblowfish" ("expensive key schedule Blowfish"). The key setup begins with a modified form of the standard Blowfish key setup, in which both the
201:
Blowfish is notable among block ciphers for its expensive key setup phase. It starts off with subkeys in a standard state, then uses this state to perform a block encryption using part of the key, and uses the result of that encryption (which is more accurate at hashing) to replace some of the
401:
A bug was discovered in the OpenBSD implementation of bcrypt. It was using an unsigned 8-bit value to hold the length of the password. For passwords longer than 255 bytes, instead of being truncated at 72 bytes the password would be truncated at the lesser of 72 or the length
1115:
Note that the quote above mentions passwords "up to 56 bytes" even though the algorithm itself makes use of a 72 byte initial value. Although Provos and Mazières do not state the reason for the shorter restriction, they may have been motivated by the following statement from
202:
subkeys. Then it uses this modified state to encrypt another part of the key, and uses the result to replace more of the subkeys. It proceeds in this fashion, using a progressively modified state to hash the key and replace bits of state, until all subkeys have been set.
1106:
The mathematical algorithm itself requires initialization with 18 32-bit subkeys (equivalent to 72 octets/bytes). The original specification of bcrypt does not mandate any one particular method for mapping text-based passwords from
1176:: scrypt is weaker than bcrypt for memory requirements less than 4 MB. scrypt requires approximately 1000 times the memory of bcrypt to achieve a comparable level of defense against GPU based attacks (for password storage).
1129:
Implementations have varied in their approach of converting passwords into initial numeric values, including sometimes reducing the strength of passwords containing non-ASCII characters.
344:
The original specification did not define how to handle non-ASCII character, nor how to handle a null terminator. The specification was revised to specify that when hashing strings:
3048:
2878:
1771:
370:, a PHP implementation of bcrypt. It was mis-handling characters with the 8th bit set. They suggested that system administrators update their existing password database, replacing
232:$ 2a$ 12$ R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW \__/\/ \____________________/\_____________________________/ Alg Cost Salt Hash
743:
2731:
2651:
2039:
2068:
1923:
1670:
1526:
3096:
1156:
password-based key derivation functions - where the output is then used for the purpose of password hashing rather than just key derivation.
1375:
1551:
SUSE's crypt() implementation supports the blowfish password hashing function (id $ 2a) and system logins by default also use this method.
1767:
2595:
119:
attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to
2428:
1836:
3106:
2724:
1264:
In the worst case a password is limited to 18 characters, when every character requires 4 bytes of UTF-8 encoding. For example:
1159:
Password hashing generally needs to complete < 1000 ms. In this scenario, bcrypt is stronger than pbkdf2, scrypt, and argon2.
1881:
3101:
2032:
725:
InitialState works as in the original
Blowfish algorithm, populating the P-array and S-box entries with the fractional part of
2927:
2636:
2121:
2073:
154:
378:, to indicate that those hashes are bad (and need to use the old broken algorithm). They also suggested the idea of having
2423:
190:
162:
2717:
2641:
1387:
3043:
2998:
2811:
2410:
2052:
2048:
186:
170:
71:
2922:
2025:
1909:
389:
Nobody else, including
Canonical and OpenBSD, adopted the idea of 2x/2y. This version marker change was limited to
1103:
Many implementations of bcrypt truncate the password to the first 72 bytes, following the OpenBSD implementation.
3038:
2667:
2306:
166:
96:
1141:. For example, bcrypt cannot be used to derive a 512-bit key from a password. At the same time, algorithms like
3028:
3018:
2873:
2646:
2482:
2181:
2176:
409:
bcrypt was created for OpenBSD. When they had a bug in their library, they decided to bump the version number.
146:
3023:
3013:
2816:
2776:
2769:
2759:
2754:
2569:
2389:
1138:
1083:
is the same as regular
Blowfish key schedule since all XORs with the all-zero salt value are ineffectual.
406:
256. For example, a 260 byte password would be truncated at 4 bytes rather than truncated at 72 bytes.
2764:
2677:
2063:
1238:
The password (which is UTF-8 encoded), is repeated until it is 72-bytes long. For example, a password of:
1984:
1538:
3071:
2917:
2863:
2692:
2342:
2296:
2186:
2144:
2129:
2111:
1493:
574:
The bcrypt algorithm depends heavily on its "Eksblowfish" key setup algorithm, which runs as follows:
3033:
2957:
2362:
2266:
2216:
2191:
1691:
1208:
bcrypt has a maximum password length of 72 bytes. This maximum comes from the first operation of the
81:
1795:"Fast Software Encryption, Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)"
2796:
2687:
2564:
2513:
2452:
2271:
2231:
2211:
112:
1466:
2902:
2886:
2833:
2621:
2605:
2554:
2139:
1120:'s original specification of Blowfish, "The 448 limit on the key size ensures that the [
403:
158:
135:
120:
1712:
1321:
It is unclear why the canonical implementation deletes 8-bits from the resulting password hash.
2962:
2952:
2823:
2498:
422:
104:
59:
20:
2897:
2585:
2539:
2301:
1191:
269:
2600:
2549:
2544:
2332:
1749:
728:
2972:
2892:
2853:
2801:
2786:
2590:
2318:
1417:
1117:
127:
1895:
1849:
3090:
3053:
3008:
2967:
2947:
2843:
2806:
2781:
2682:
2559:
2261:
116:
1812:
3003:
2848:
2838:
2828:
2791:
2740:
1794:
1462:
1405:
100:
40:
1867:
1475:
2982:
2672:
2518:
2447:
2443:
2352:
1625:"bcrypt - A Java standalone implementation of the bcrypt password hash function"
273:
1582:
2942:
2912:
2907:
2868:
1819:
1365:
1108:
630://Initialize P (Subkeys), and S (Substitution boxes) with the hex digits of pi
174:
139:
2932:
2347:
1564:
1534:
1399:
1393:
1347:
299:
2134:
1600:
1948:
1731:
2977:
2937:
2626:
2523:
2508:
2503:
2493:
2457:
2377:
2291:
2171:
1648:
1440:
1396:- blowfish-based cross-platform file encryption utility developed in 2002
1251:
Is repeated until it matches the 72-bytes of the 18 P per-round subkeys:
1966:
1896:"Argon2 vs bcrypt vs. scrypt: which hashing algorithm is right for you?"
1514:
minimal change to implementation of bcrypt to not require static globals
1342:
The encoding used by the canonical OpenBSD implementation uses the same
1256:
correct horse battery staple␀correct horse battery staple␀correct horse
853://Treat the 128-bit salt as two 64-bit halves (the Blowfish block size).
2462:
2418:
2196:
1624:
1501:
1300:
85 20 af 9f 03 3d b3 8c 08 5f d2 5e 2d aa 5e 84 a2 b9 61 d2 f1 29 c9 a4
260:: A base-64 encoding of the first 23 bytes of the computed 24 byte hash
131:
1282:
The bcrypt algorithm involves repeatedly encrypting the 24-byte text:
425:. In bcrypt the usual Blowfish key setup function is replaced with an
2858:
2631:
2372:
2367:
2327:
2286:
2281:
2276:
2256:
2251:
2226:
2221:
2206:
2166:
1479:
1434:
1428:
1422:
1411:
1383:
1355:
1343:
1180:
1172:
1164:
1150:
1146:
1142:
276:
108:
1478:. Vol. Proceedings of the FREENIX Track. Monterey, California:
1313:
85 20 af 9f 03 3d b3 8c 08 5f d2 5e 2d aa 5e 84 a2 b9 61 d2 f1 29 c9
1713:"bcrypt password hash bugs fixed, version changes and consequences"
150:
2357:
2246:
2201:
2149:
2106:
2101:
2095:
2004:
1732:"oss-sec: CVE request: crypt_blowfish 8-bit character mishandling"
1126:] every bit of every subkey depends on every bit of the key."
1431:- a widely used standard Password-Based Key Derivation Function 2
1354:. This means the encoding is not compatible with the more common
1308:
The canonical OpenBSD implementation truncates this to 23 bytes:
503://Repeatedly encrypt the text "OrpheanBeholderScryDoubt" 64 times
304:
format used when storing passwords in the OpenBSD password file:
2472:
2467:
2438:
2433:
2397:
1936:
1352:./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
266:./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
178:
2713:
2021:
1504:. 23 March 2014. Revision 1.32 (first mention of bcrypt in log)
2241:
2236:
2089:
1122:
466://Initialize Blowfish state with expensive key setup algorithm
182:
1565:"Bcrypt Elixir: bcrypt password hashing algorithm for Elixir"
1437:- password-based key derivation function (and also a utility)
668://This is the "Expensive" part of the "Expensive Key Setup".
1324:
These 23 bytes become 31 characters when radix-64 encoded:
1967:"T2 package - trunk - bcrypt - A utility to encrypt files"
1949:"bcrypt APK for Android - free download on Droid Informer"
2005:
crypt_blowfish, the implementation maintained by
Openwall
1112:
terminating zero byte when the key is an ASCII string)."
229:, and a random salt, the output of bcrypt is the string
2879:
Cryptographically secure pseudorandom number generator
1664:
1662:
870://Initialize an 8-byte (64-bit) buffer with all zeros.
292:
The original bcrypt specification defined a prefix of
1850:"Goldshell KD6 profitability | ASIC Miner Value"
1692:"Modular Crypt Format — Passlib v1.7.1 Documentation"
731:
2009:
2991:
2747:
2660:
2614:
2578:
2532:
2481:
2409:
2386:
2315:
2159:
2120:
2082:
971://Mix encrypted state into the internal S-boxes of
671://Otherwise the key setup is identical to Blowfish.
80:
70:
65:
55:
47:
36:
31:
737:
602:(Iterations). e.g. 12 ==> 2 = 4,096 iterations
449:(Iterations). e.g. 12 ==> 2 = 4,096 iterations
1527:"SUSE Security Announcement: (SUSE-SA:2011:035)"
1095:is similar, but uses the salt as a 128-bit key.
641://Permute P and S based on the password and salt
123:attacks even with increasing computation power.
1707:
1705:
1133:Comparison to other password hashing algorithms
623:array of four SBoxes; each SBox is 256 UInt32 (
1190:is an evolution of bcrypt that uses a tunable
455:password: array of Bytes (1..72 bytes)
451:salt: array of Bytes (16 bytes)
443:cost: Number (4..31)
264:The base-64 encoding in bcrypt uses the table
2725:
2033:
1295:This generates 24 bytes of ciphertext, e.g.:
1216:the 18 4-byte subkeys (P) with the password:
1137:It is important to note that bcrypt is not a
540://encrypt using standard Blowfish in ECB mode
386:for hashes generated by the fixed algorithm.
355:With this change, the version was changed to
8:
1601:"jBCrypt - strong password hashing for Java"
417:The bcrypt function below encrypts the text
126:The bcrypt function is the default password
26:
19:For the bcrypt file encryption utility, see
753:The ExpandKey function does the following:
2732:
2718:
2710:
2040:
2026:
2018:
2014:
2010:
925://encrypt block using current key schedule
1494:"CVS log for src/lib/libc/crypt/bcrypt.c"
730:
609:P: array of UInt32
596:cost: Number (4..31)
592:salt: array of Bytes (16 bytes)
588:password: array of Bytes (1..72 bytes)
472://S: Four substitution boxes (S-boxes), S
1820:"Changes in CRYPT_BLOWFISH in PHP 5.3.7"
1457:
1455:
796:P: array of UInt32
783:password: array of Bytes (1..72 bytes)
767:P: array of UInt32
242:: The hash algorithm identifier (bcrypt)
1937:bcrypt file encryption program homepage
1799:Cambridge Security Workshop Proceedings
1476:1999 USENIX Annual Technical Conference
1451:
813://Mix password into the P subkeys array
464:hash: array of Bytes (24 bytes)
429:key setup (EksBlowfishSetup) function:
145:There are implementations of bcrypt in
366:In June 2011, a bug was discovered in
254:: A base-64 encoding of the input salt
25:
16:Password-based key derivation function
1774:from the original on 18 February 2022
1563:Whitlock, David (21 September 2021).
915://each iteration alternating between
515://24 bytes ==> three 64-bit blocks
335:: SHA-512-based crypt ('sha512crypt')
329:: SHA-256-based crypt ('sha256crypt')
7:
1910:"OWASP Password Storage Cheat Sheet"
1376:Free and open-source software portal
1269:𐑜𐑝𐑟𐑥𐑷𐑻𐑽𐑾𐑿𐑿𐑰𐑩𐑛𐑙𐑘𐑙𐑒𐑔
787:salt: Byte
480:. Each S-box is 1,024 bytes (UInt32)
351:the null terminator must be included
1671:"bcrypt.c source code, lines 57-58"
621:: array of UInt32
1669:Provos, Niels (13 February 1997).
1468:A Future-Adaptable Password Scheme
14:
1793:Schneier, Bruce (December 1993).
1750:"'bcrypt version changes' - MARC"
874://Mix internal state into P-boxes
469://P: array of 18 subkeys (UInt32)
323:: SHA-1-based crypt ('sha1crypt')
317:: Blowfish-based crypt ('bcrypt')
248:: Input cost (2 i.e. 4096 rounds)
221:For example, with input password
111:in 1999. Besides incorporating a
103:and David Mazières, based on the
3067:
3066:
1768:"bcrypt.c code fix for 2014 bug"
1537:. 23 August 2011. Archived from
1368:
348:the string must be UTF-8 encoded
1329:fQAtluK7q2uGV7HcJYncfII3WbJvIai
258:PST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
134:, and was the default for some
2928:Information-theoretic security
2637:NIST hash function competition
1882:"Why I Don't Recommend Scrypt"
850://treat the password as cyclic
311:: MD5-based crypt ('md5crypt')
1:
1868:"Goldshell KD6 Profitability"
1465:, Maziéres D (10 June 1999).
1243:correct horse battery staple␀
1139:key derivation function (KDF)
798:Array of 18 per-round subkeys
611:array of 18 per-round subkeys
3097:Cryptographic hash functions
2642:Password Hashing Competition
2053:message authentication codes
2049:Cryptographic hash functions
1388:Password Hashing Competition
808:: UInt32
779:: UInt32
3044:Message authentication code
2999:Cryptographic hash function
2812:Cryptographic hash function
2596:Merkle–Damgård construction
1813:"jBCrypt security advisory"
1801:. Springer-Verlag: 191–204.
362:$ 2x$ , $ 2y$ (June 2011)
86:variable via cost parameter
3123:
2923:Harvest now, decrypt later
547:is resulting password hash
511:"OrpheanBeholderScryDoubt"
419:"OrpheanBeholderScryDoubt"
18:
3062:
3039:Post-quantum cryptography
2709:
2059:
2017:
2013:
1985:"Oracle GoldenGateのライセンス"
1402:- Unix C library function
1272:(18 characters, 72 bytes)
97:password-hashing function
3107:Key derivation functions
3029:Quantum key distribution
3019:Authenticated encryption
2874:Random number generation
2390:key derivation functions
1924:"Product Specifications"
1338:base64 encoding alphabet
1287:OrpheanBeholderScryDoubt
1278:Password hash truncation
107:cipher and presented at
3024:Public-key cryptography
3014:Symmetric-key algorithm
2817:Key derivation function
2777:Cryptographic primitive
2770:Authentication protocol
2760:Outline of cryptography
2755:History of cryptography
2668:Hash-based cryptography
2570:Length extension attack
1204:Maximum password length
901:with a 64-bit salt half
867://Upper 64-bits of salt
860://Lower 64-bits of salt
397:$ 2b$ (February 2014)
218:$ 2<a/b/x/y>$ $
3102:Cryptographic software
2765:Cryptographic protocol
2678:Message authentication
1854:www.asicminervalue.com
1696:passlib.readthedocs.io
1480:The USENIX Association
785:UTF-8 encoded password
739:
590:UTF-8 encoded password
457:UTF-8 encoded password
252:R9h/cIPz0gi.URNNX3kh2O
2918:End-to-end encryption
2864:Cryptojacking malware
740:
694:, password, 0)
639:← InitialState()
268:, which differs from
193:and other languages.
3034:Quantum cryptography
2958:Trusted timestamping
1837:Secure Hash Standard
1770:. 17 February 2014.
738:{\displaystyle \pi }
729:
582:EksBlowfishSetup
2797:Cryptographic nonce
2565:Side-channel attack
1531:Security Advisories
951://lower 32-bits of
769:Array of 18 subkeys
627:each SBox is 1 KiB)
570:Expensive key setup
489:← EksBlowfishSetup(
296:. This follows the
136:Linux distributions
115:to protect against
28:
2903:Subliminal channel
2887:Pseudorandom noise
2834:Key (cryptography)
2622:CAESAR Competition
2606:HAIFA construction
2555:Brute-force attack
1815:. 1 February 2010.
1655:. 7 February 2017.
1235:xor passwordBytes
735:
283:Versioning history
159:Embarcadero Delphi
121:brute-force search
3084:
3083:
3080:
3079:
2963:Key-based routing
2953:Trapdoor function
2824:Digital signature
2705:
2704:
2701:
2700:
2499:ChaCha20-Poly1305
2316:Password hashing/
1953:droidinformer.org
1730:Designer, Solar.
90:
89:
60:Blowfish (cipher)
21:Blowfish (cipher)
3114:
3070:
3069:
2898:Insecure channel
2734:
2727:
2720:
2711:
2586:Avalanche effect
2540:Collision attack
2083:Common functions
2042:
2035:
2028:
2019:
2015:
2011:
1993:
1992:
1981:
1975:
1974:
1963:
1957:
1956:
1945:
1939:
1934:
1928:
1927:
1920:
1914:
1913:
1906:
1900:
1899:
1892:
1886:
1885:
1884:. 12 March 2014.
1878:
1872:
1871:
1864:
1858:
1857:
1846:
1840:
1834:
1828:
1827:
1816:
1809:
1803:
1802:
1790:
1784:
1783:
1781:
1779:
1764:
1758:
1757:
1746:
1740:
1739:
1727:
1721:
1720:
1709:
1700:
1699:
1688:
1682:
1681:
1679:
1677:
1666:
1657:
1656:
1645:
1639:
1638:
1636:
1635:
1621:
1615:
1614:
1612:
1611:
1597:
1591:
1590:
1583:"Package bcrypt"
1579:
1573:
1572:
1560:
1554:
1553:
1548:
1546:
1523:
1517:
1516:
1511:
1509:
1490:
1484:
1483:
1473:
1459:
1386:- winner of the
1378:
1373:
1372:
1371:
1353:
1330:
1314:
1301:
1288:
1270:
1257:
1244:
1215:
1192:memory footprint
1094:
1082:
1065:
1060:
1049:
1038:
1031:
1015:
1009:
1000:
995:
989:
980:
975:
969:
965://upper 32-bits
955:
926:
923:
902:
895:
889:
880:
875:
871:
868:
861:
854:
851:
845:
834:
828:
819:
814:
811:
810:Four 1 KB SBoxes
799:
795:
790:
786:
782:
781:Four 1 KB SBoxes
770:
766:
760:
745:in hexadecimal.
744:
742:
741:
736:
715:
677:
672:
669:
642:
631:
628:
612:
608:
603:
595:
591:
587:
581:
553:
548:
541:
521:
516:
513:
504:
481:
470:
467:
463:
458:
454:
450:
442:
436:
385:
377:
373:
358:
334:
328:
322:
316:
310:
295:
267:
259:
253:
247:
241:
228:
224:
43:, David Mazières
29:
3122:
3121:
3117:
3116:
3115:
3113:
3112:
3111:
3087:
3086:
3085:
3076:
3058:
2987:
2743:
2738:
2697:
2656:
2615:Standardization
2610:
2601:Sponge function
2574:
2550:Birthday attack
2545:Preimage attack
2528:
2484:
2477:
2405:
2388:
2387:General purpose
2382:
2317:
2311:
2160:Other functions
2155:
2122:SHA-3 finalists
2116:
2078:
2055:
2046:
2001:
1996:
1989:docs.oracle.com
1983:
1982:
1978:
1965:
1964:
1960:
1947:
1946:
1942:
1935:
1931:
1922:
1921:
1917:
1908:
1907:
1903:
1894:
1893:
1889:
1880:
1879:
1875:
1866:
1865:
1861:
1848:
1847:
1843:
1835:
1831:
1818:
1811:
1810:
1806:
1792:
1791:
1787:
1777:
1775:
1766:
1765:
1761:
1748:
1747:
1743:
1729:
1728:
1724:
1711:
1710:
1703:
1690:
1689:
1685:
1675:
1673:
1668:
1667:
1660:
1647:
1646:
1642:
1633:
1631:
1623:
1622:
1618:
1609:
1607:
1605:www.mindrot.org
1599:
1598:
1594:
1581:
1580:
1576:
1562:
1561:
1557:
1544:
1542:
1541:on 4 March 2016
1525:
1524:
1520:
1507:
1505:
1492:
1491:
1487:
1471:
1461:
1460:
1453:
1449:
1374:
1369:
1367:
1364:
1351:
1340:
1332:(31-characters)
1328:
1312:
1299:
1286:
1280:
1268:
1255:
1242:
1236:
1234:
1230:
1226:
1222:
1213:
1206:
1201:
1135:
1101:
1084:
1072:
1069:
1061:
1059://upper 32-bits
1058:
1053:
1048://lower 32-bits
1047:
1042:
1036:
1027:
1011:
1005:
996:
991:
985:
976:
970:
964:
959:
950:
945:
924:
914:
896:
891:
885:
876:
873:
869:
866:
859:
852:
849:
843:
842:
838:
830:
824:
815:
812:
809:
807:
803:
797:
791:
788:
784:
780:
778:
774:
768:
762:
756:
751:
727:
726:
723:
711:
673:
670:
667:
640:
629:
622:
620:
616:
610:
604:
601:
597:
593:
589:
583:
577:
572:
567:
549:
542:
539:
517:
514:
509:
502:
479:
475:
471:
468:
465:
459:
456:
452:
448:
444:
438:
432:
421:64 times using
415:
383:
375:
371:
356:
332:
326:
320:
314:
308:
293:
285:
265:
257:
251:
245:
239:
233:
226:
222:
219:
212:
199:
48:First published
24:
17:
12:
11:
5:
3120:
3118:
3110:
3109:
3104:
3099:
3089:
3088:
3082:
3081:
3078:
3077:
3075:
3074:
3063:
3060:
3059:
3057:
3056:
3051:
3049:Random numbers
3046:
3041:
3036:
3031:
3026:
3021:
3016:
3011:
3006:
3001:
2995:
2993:
2989:
2988:
2986:
2985:
2980:
2975:
2973:Garlic routing
2970:
2965:
2960:
2955:
2950:
2945:
2940:
2935:
2930:
2925:
2920:
2915:
2910:
2905:
2900:
2895:
2893:Secure channel
2890:
2884:
2883:
2882:
2871:
2866:
2861:
2856:
2854:Key stretching
2851:
2846:
2841:
2836:
2831:
2826:
2821:
2820:
2819:
2814:
2804:
2802:Cryptovirology
2799:
2794:
2789:
2787:Cryptocurrency
2784:
2779:
2774:
2773:
2772:
2762:
2757:
2751:
2749:
2745:
2744:
2739:
2737:
2736:
2729:
2722:
2714:
2707:
2706:
2703:
2702:
2699:
2698:
2696:
2695:
2690:
2685:
2680:
2675:
2670:
2664:
2662:
2658:
2657:
2655:
2654:
2649:
2644:
2639:
2634:
2629:
2624:
2618:
2616:
2612:
2611:
2609:
2608:
2603:
2598:
2593:
2591:Hash collision
2588:
2582:
2580:
2576:
2575:
2573:
2572:
2567:
2562:
2557:
2552:
2547:
2542:
2536:
2534:
2530:
2529:
2527:
2526:
2521:
2516:
2511:
2506:
2501:
2496:
2490:
2488:
2479:
2478:
2476:
2475:
2470:
2465:
2460:
2455:
2450:
2441:
2436:
2431:
2426:
2421:
2415:
2413:
2407:
2406:
2404:
2403:
2400:
2394:
2392:
2384:
2383:
2381:
2380:
2375:
2370:
2365:
2360:
2355:
2350:
2345:
2340:
2335:
2330:
2324:
2322:
2319:key stretching
2313:
2312:
2310:
2309:
2304:
2299:
2294:
2289:
2284:
2279:
2274:
2269:
2264:
2259:
2254:
2249:
2244:
2239:
2234:
2229:
2224:
2219:
2214:
2209:
2204:
2199:
2194:
2189:
2184:
2179:
2174:
2169:
2163:
2161:
2157:
2156:
2154:
2153:
2147:
2142:
2137:
2132:
2126:
2124:
2118:
2117:
2115:
2114:
2109:
2104:
2099:
2093:
2086:
2084:
2080:
2079:
2077:
2076:
2071:
2066:
2060:
2057:
2056:
2047:
2045:
2044:
2037:
2030:
2022:
2008:
2007:
2000:
1999:External links
1997:
1995:
1994:
1976:
1958:
1940:
1929:
1915:
1901:
1887:
1873:
1859:
1841:
1829:
1804:
1785:
1759:
1741:
1722:
1701:
1683:
1658:
1640:
1616:
1592:
1574:
1555:
1518:
1498:CVS Repository
1485:
1450:
1448:
1445:
1444:
1443:
1438:
1432:
1426:
1420:
1418:Key stretching
1415:
1409:
1408:- Unix utility
1403:
1397:
1391:
1380:
1379:
1363:
1360:
1339:
1336:
1335:
1334:
1319:
1318:
1306:
1305:
1293:
1292:
1279:
1276:
1275:
1274:
1262:
1261:
1249:
1248:
1232:
1228:
1224:
1220:
1218:
1212:function that
1205:
1202:
1200:
1197:
1196:
1195:
1185:
1177:
1169:
1134:
1131:
1118:Bruce Schneier
1100:
1097:
1051:
1040:
957:
943:
840:
836:
805:
801:
776:
772:
755:
750:
747:
734:
710:, salt, 0)
618:
614:
599:
576:
571:
568:
477:
473:
446:
431:
414:
411:
391:crypt_blowfish
380:crypt_blowfish
368:crypt_blowfish
353:
352:
349:
337:
336:
330:
324:
318:
312:
284:
281:
262:
261:
255:
249:
243:
231:
217:
211:
208:
198:
195:
128:hash algorithm
88:
87:
84:
78:
77:
74:
68:
67:
63:
62:
57:
53:
52:
49:
45:
44:
38:
34:
33:
15:
13:
10:
9:
6:
4:
3:
2:
3119:
3108:
3105:
3103:
3100:
3098:
3095:
3094:
3092:
3073:
3065:
3064:
3061:
3055:
3054:Steganography
3052:
3050:
3047:
3045:
3042:
3040:
3037:
3035:
3032:
3030:
3027:
3025:
3022:
3020:
3017:
3015:
3012:
3010:
3009:Stream cipher
3007:
3005:
3002:
3000:
2997:
2996:
2994:
2990:
2984:
2981:
2979:
2976:
2974:
2971:
2969:
2968:Onion routing
2966:
2964:
2961:
2959:
2956:
2954:
2951:
2949:
2948:Shared secret
2946:
2944:
2941:
2939:
2936:
2934:
2931:
2929:
2926:
2924:
2921:
2919:
2916:
2914:
2911:
2909:
2906:
2904:
2901:
2899:
2896:
2894:
2891:
2888:
2885:
2880:
2877:
2876:
2875:
2872:
2870:
2867:
2865:
2862:
2860:
2857:
2855:
2852:
2850:
2847:
2845:
2844:Key generator
2842:
2840:
2837:
2835:
2832:
2830:
2827:
2825:
2822:
2818:
2815:
2813:
2810:
2809:
2808:
2807:Hash function
2805:
2803:
2800:
2798:
2795:
2793:
2790:
2788:
2785:
2783:
2782:Cryptanalysis
2780:
2778:
2775:
2771:
2768:
2767:
2766:
2763:
2761:
2758:
2756:
2753:
2752:
2750:
2746:
2742:
2735:
2730:
2728:
2723:
2721:
2716:
2715:
2712:
2708:
2694:
2691:
2689:
2686:
2684:
2683:Proof of work
2681:
2679:
2676:
2674:
2671:
2669:
2666:
2665:
2663:
2659:
2653:
2650:
2648:
2645:
2643:
2640:
2638:
2635:
2633:
2630:
2628:
2625:
2623:
2620:
2619:
2617:
2613:
2607:
2604:
2602:
2599:
2597:
2594:
2592:
2589:
2587:
2584:
2583:
2581:
2577:
2571:
2568:
2566:
2563:
2561:
2560:Rainbow table
2558:
2556:
2553:
2551:
2548:
2546:
2543:
2541:
2538:
2537:
2535:
2531:
2525:
2522:
2520:
2517:
2515:
2512:
2510:
2507:
2505:
2502:
2500:
2497:
2495:
2492:
2491:
2489:
2486:
2483:Authenticated
2480:
2474:
2471:
2469:
2466:
2464:
2461:
2459:
2456:
2454:
2451:
2449:
2445:
2442:
2440:
2437:
2435:
2432:
2430:
2427:
2425:
2422:
2420:
2417:
2416:
2414:
2412:
2411:MAC functions
2408:
2401:
2399:
2396:
2395:
2393:
2391:
2385:
2379:
2376:
2374:
2371:
2369:
2366:
2364:
2361:
2359:
2356:
2354:
2351:
2349:
2346:
2344:
2341:
2339:
2336:
2334:
2331:
2329:
2326:
2325:
2323:
2320:
2314:
2308:
2305:
2303:
2300:
2298:
2295:
2293:
2290:
2288:
2285:
2283:
2280:
2278:
2275:
2273:
2270:
2268:
2265:
2263:
2260:
2258:
2255:
2253:
2250:
2248:
2245:
2243:
2240:
2238:
2235:
2233:
2230:
2228:
2225:
2223:
2220:
2218:
2215:
2213:
2210:
2208:
2205:
2203:
2200:
2198:
2195:
2193:
2190:
2188:
2185:
2183:
2180:
2178:
2175:
2173:
2170:
2168:
2165:
2164:
2162:
2158:
2151:
2148:
2146:
2143:
2141:
2138:
2136:
2133:
2131:
2128:
2127:
2125:
2123:
2119:
2113:
2110:
2108:
2105:
2103:
2100:
2098:(compromised)
2097:
2094:
2092:(compromised)
2091:
2088:
2087:
2085:
2081:
2075:
2074:Known attacks
2072:
2070:
2067:
2065:
2062:
2061:
2058:
2054:
2050:
2043:
2038:
2036:
2031:
2029:
2024:
2023:
2020:
2016:
2012:
2006:
2003:
2002:
1998:
1990:
1986:
1980:
1977:
1972:
1968:
1962:
1959:
1954:
1950:
1944:
1941:
1938:
1933:
1930:
1925:
1919:
1916:
1911:
1905:
1902:
1898:. March 2023.
1897:
1891:
1888:
1883:
1877:
1874:
1869:
1863:
1860:
1855:
1851:
1845:
1842:
1838:
1833:
1830:
1825:
1821:
1814:
1808:
1805:
1800:
1796:
1789:
1786:
1773:
1769:
1763:
1760:
1755:
1751:
1745:
1742:
1737:
1733:
1726:
1723:
1718:
1714:
1708:
1706:
1702:
1697:
1693:
1687:
1684:
1672:
1665:
1663:
1659:
1654:
1650:
1644:
1641:
1630:
1626:
1620:
1617:
1606:
1602:
1596:
1593:
1588:
1584:
1578:
1575:
1570:
1566:
1559:
1556:
1552:
1540:
1536:
1532:
1528:
1522:
1519:
1515:
1503:
1499:
1495:
1489:
1486:
1481:
1477:
1470:
1469:
1464:
1458:
1456:
1452:
1446:
1442:
1439:
1436:
1433:
1430:
1427:
1424:
1421:
1419:
1416:
1413:
1410:
1407:
1404:
1401:
1398:
1395:
1392:
1389:
1385:
1382:
1381:
1377:
1366:
1361:
1359:
1357:
1349:
1345:
1337:
1333:
1327:
1326:
1325:
1322:
1317:
1311:
1310:
1309:
1304:
1298:
1297:
1296:
1291:
1285:
1284:
1283:
1277:
1273:
1267:
1266:
1265:
1260:
1254:
1253:
1252:
1247:
1241:
1240:
1239:
1217:
1211:
1203:
1198:
1193:
1189:
1186:
1183:
1182:
1178:
1175:
1174:
1170:
1167:
1166:
1162:
1161:
1160:
1157:
1155:
1152:
1148:
1144:
1140:
1132:
1130:
1127:
1125:
1124:
1119:
1113:
1110:
1104:
1098:
1096:
1092:
1088:
1080:
1076:
1068:
1064:
1057:
1046:
1034:
1030:
1026:
1022:
1018:
1014:
1008:
1003:
999:
994:
988:
983:
979:
974:
968:
963:
954:
949:
941:
937:
933:
929:
922:
918:
913:
909:
905:
900:
897://xor 64-bit
894:
888:
883:
879:
872:block ← 0
865:
858:
848:
833:
827:
822:
818:
794:
765:
761:ExpandKey
759:
754:
748:
746:
732:
722:
718:
714:
709:
705:
701:
697:
693:
689:
685:
681:
676:
665:
661:
657:
653:
649:
645:
638:
634:
626:
607:
586:
580:
575:
569:
565:
561:
557:
552:
546:
537:
533:
529:
526:← EncryptECB(
525:
520:
512:
507:
500:
496:
492:
488:
484:
462:
441:
435:
430:
428:
424:
420:
412:
410:
407:
405:
399:
398:
394:
392:
387:
381:
369:
364:
363:
359:
350:
347:
346:
345:
342:
341:
331:
325:
319:
313:
307:
306:
305:
303:
301:
290:
289:
288:$ 2$ (1999)
282:
280:
278:
275:
271:
256:
250:
244:
238:
237:
236:
230:
216:
209:
207:
203:
196:
194:
192:
188:
184:
180:
176:
172:
168:
164:
160:
156:
152:
148:
143:
141:
137:
133:
129:
124:
122:
118:
117:rainbow table
114:
110:
106:
102:
98:
94:
85:
83:
79:
75:
73:
69:
64:
61:
58:
54:
50:
46:
42:
39:
35:
30:
22:
3004:Block cipher
2849:Key schedule
2839:Key exchange
2829:Kleptography
2792:Cryptosystem
2741:Cryptography
2337:
1988:
1979:
1970:
1961:
1952:
1943:
1932:
1918:
1904:
1890:
1876:
1862:
1853:
1844:
1832:
1823:
1807:
1798:
1788:
1776:. Retrieved
1762:
1753:
1744:
1736:seclists.org
1735:
1725:
1717:undeadly.org
1716:
1695:
1686:
1674:. Retrieved
1652:
1643:
1632:. Retrieved
1628:
1619:
1608:. Retrieved
1604:
1595:
1586:
1577:
1568:
1558:
1550:
1543:. Retrieved
1539:the original
1530:
1521:
1513:
1506:. Retrieved
1497:
1488:
1467:
1346:alphabet as
1341:
1331:
1323:
1320:
1315:
1307:
1302:
1294:
1289:
1281:
1271:
1263:
1258:
1250:
1245:
1237:
1209:
1207:
1187:
1179:
1171:
1163:
1158:
1153:
1136:
1128:
1121:
1114:
1105:
1102:
1090:
1086:
1078:
1074:
1070:
1066:
1062:
1055:
1044:
1032:
1028:
1024:
1020:
1016:
1012:
1006:
1001:
997:
992:
986:
981:
977:
972:
966:
961:
952:
947:
939:
935:
931:
927:
920:
916:
911:
907:
903:
898:
892:
886:
881:
877:
863:
856:
846:
831:
825:
820:
816:
792:
763:
757:
752:
724:
720:
716:
712:
707:
703:
702:← ExpandKey(
699:
695:
691:
687:
686:← ExpandKey(
683:
679:
674:
663:
659:
655:
651:
650:← ExpandKey(
647:
643:
636:
632:
624:
605:
584:
578:
573:
563:
559:
555:
554:Concatenate(
550:
544:
535:
531:
527:
523:
518:
510:
505:
498:
494:
490:
486:
482:
460:
439:
433:
426:
418:
416:
408:
400:
396:
395:
390:
388:
379:
367:
365:
361:
360:
354:
343:
339:
338:
297:
291:
287:
286:
263:
234:
220:
213:
204:
200:
144:
125:
101:Niels Provos
99:designed by
92:
91:
72:Digest sizes
56:Derived from
41:Niels Provos
2992:Mathematics
2983:Mix network
2673:Merkle tree
2661:Utilization
2647:NSA Suite B
1778:17 February
1571:. riverrun.
1350:, which is
1188:pufferfish2
862:saltHalf ←
855:saltHalf ←
789:random salt
594:random salt
522:(64)
453:random salt
210:Description
3091:Categories
2943:Ciphertext
2913:Decryption
2908:Encryption
2869:Ransomware
2485:encryption
2262:RadioGatún
2069:Comparison
1676:29 January
1649:"bcryptjs"
1634:2018-07-19
1629:github.com
1610:2017-03-11
1447:References
1316:(23-bytes)
1303:(24-bytes)
1290:(24-bytes)
1259:(72 bytes)
1246:(29 bytes)
1199:Criticisms
1099:User input
1085:ExpandKey(
1073:ExpandKey(
1037://as above
1019:← Encrypt(
942:) P
930:← Encrypt(
749:Expand key
678:(2)
543://24-byte
437:bcrypt
279:encoding.
197:Background
175:JavaScript
140:SUSE Linux
2933:Plaintext
2402:KDF1/KDF2
2321:functions
2307:Whirlpool
1971:t2sde.org
1754:marc.info
1587:godoc.org
1545:20 August
1425:- utility
1414:- utility
1210:ExpandKey
733:π
427:expensive
413:Algorithm
223:abc123xyz
37:Designers
3072:Category
2978:Kademlia
2938:Codetext
2881:(CSPRNG)
2627:CRYPTREC
2458:Poly1305
2378:yescrypt
2292:Streebog
2172:CubeHash
2152:(winner)
1839:nist.gov
1772:Archived
1463:Provos N
1441:yescrypt
1362:See also
1356:RFC 4648
1109:userland
1033:saltHalf
921:saltHalf
917:saltHalf
912:saltHalf
847:password
758:Function
660:password
579:Function
501:)
491:password
434:Function
423:Blowfish
321:$ sha1$
298:Modular
138:such as
105:Blowfish
2748:General
2533:Attacks
2463:SipHash
2419:CBC-MAC
2353:LM hash
2333:Balloon
2197:HAS-160
1824:php.net
1502:OpenBSD
1390:in 2015
1071:Hence,
793:Output:
606:Output:
461:Output:
340:$ 2a$
235:Where:
225:, cost
132:OpenBSD
76:184 bit
32:General
2859:Keygen
2693:Pepper
2632:NESSIE
2579:Design
2373:scrypt
2368:PBKDF2
2343:Catena
2338:bcrypt
2328:Argon2
2287:Snefru
2282:Shabal
2277:SWIFFT
2257:RIPEMD
2252:N-hash
2227:MASH-2
2222:MASH-1
2207:Kupyna
2167:BLAKE3
2150:Keccak
2135:Grøstl
2112:BLAKE2
1569:GitHub
1508:25 May
1435:scrypt
1429:PBKDF2
1423:mcrypt
1412:ccrypt
1394:bcrypt
1384:Argon2
1344:Base64
1181:argon2
1173:scrypt
1165:PBKDF2
1151:argon2
1149:, and
1147:scrypt
1143:pbkdf2
1063:return
919:, and
764:Input:
713:return
675:repeat
585:Input:
551:return
519:repeat
440:Input:
404:modulo
384:$ 2y$
376:$ 2x$
372:$ 2a$
357:$ 2a$
302:Format
277:Base64
272:
240:$ 2a$
215:form:
191:python
163:Elixir
109:USENIX
93:bcrypt
82:Rounds
66:Detail
27:bcrypt
2889:(PRN)
2487:modes
2363:Makwa
2358:Lyra2
2348:crypt
2297:Tiger
2247:MDC-2
2202:HAVAL
2187:Fugue
2145:Skein
2130:BLAKE
2107:SHA-3
2102:SHA-2
2096:SHA-1
1472:(PDF)
1406:crypt
1400:crypt
1348:crypt
1214:xor's
1089:, 0,
1087:state
1077:, 0,
1075:state
1067:state
1056:block
1045:block
1025:block
1021:state
1017:block
973:state
967:block
962:block
953:block
948:block
940:block
928:block
908:block
904:block
899:block
666:)
564:ctext
545:ctext
536:ctext
524:ctext
506:ctext
382:emit
374:with
333:$ 6$
327:$ 5$
315:$ 2$
309:$ 1$
300:Crypt
294:$ 2$
95:is a
2688:Salt
2652:CNSA
2519:IAPM
2473:VMAC
2468:UMAC
2453:PMAC
2448:CMAC
2444:OMAC
2439:NMAC
2434:HMAC
2429:GMAC
2398:HKDF
2267:SIMD
2217:Lane
2192:GOST
2177:ECOH
2064:List
2051:and
1817:And
1780:2022
1678:2022
1547:2015
1535:SUSE
1510:2023
1091:salt
1010:127
1004:← 0
984:← 1
958:2n+1
910:xor
884:← 1
864:salt
857:salt
823:← 1
664:salt
625:i.e.
560:salt
556:cost
499:cost
495:salt
476:...S
274:4648
187:Ruby
179:Perl
171:Java
130:for
113:salt
51:1999
2524:OCB
2514:GCM
2509:EAX
2504:CWC
2494:CCM
2424:DAA
2302:VSH
2272:SM3
2242:MD6
2237:MD4
2232:MD2
2212:LSH
2182:FSB
2090:MD5
1653:npm
1231:..P
1227:← P
1223:..P
1154:are
1123:sic
1079:key
1029:xor
998:for
978:for
878:for
844:xor
839:← P
829:18
817:for
804:..S
775:..S
617:..S
598:log
445:log
270:RFC
183:PHP
151:C++
3093::
2140:JH
1987:.
1969:.
1951:.
1852:.
1822:.
1797:.
1752:.
1734:.
1715:.
1704:^
1694:.
1661:^
1651:.
1627:.
1603:.
1585:.
1567:.
1549:.
1533:.
1529:.
1512:.
1500:.
1496:.
1474:.
1454:^
1358:.
1233:18
1225:18
1145:,
1054:←
1043:←
1035:)
1023:,
1013:do
1007:to
993:do
990:4
987:to
960:←
946:←
944:2n
938:,
934:,
906:←
893:do
890:9
887:to
832:do
826:to
719:,
706:,
698:,
690:,
682:,
662:,
658:,
654:,
646:,
635:,
566:)
562:,
558:,
538:)
534:,
530:,
508:←
497:,
493:,
485:,
393:.
246:12
227:12
189:,
185:,
181:,
177:,
173:,
169:,
167:Go
165:,
161:,
157:,
155:C#
153:,
149:,
142:.
2733:e
2726:t
2719:v
2446:/
2041:e
2034:t
2027:v
1991:.
1973:.
1955:.
1926:.
1912:.
1870:.
1856:.
1826:.
1782:.
1756:.
1738:.
1719:.
1698:.
1680:.
1637:.
1613:.
1589:.
1482:.
1229:1
1221:1
1219:P
1093:)
1081:)
1052:i
1050:S
1041:i
1039:S
1002:n
982:i
956:P
936:S
932:P
882:n
841:n
837:n
835:P
821:n
806:4
802:1
800:S
777:4
773:1
771:S
721:S
717:P
708:S
704:P
700:S
696:P
692:S
688:P
684:S
680:P
656:S
652:P
648:S
644:P
637:S
633:P
619:4
615:1
613:S
600:2
532:S
528:P
487:S
483:P
478:3
474:0
447:2
147:C
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.