Evaluation of password hashing competition finalists: performance, security, compliance mapping, and post-quantum readiness
| dc.authorid | 0009-0007-4263-5396 | |
| dc.authorid | 0000-0003-2865-6370 | |
| dc.contributor.author | Ulutaş, Erdem | en_US |
| dc.contributor.author | Çeliktaş, Barış | en_US |
| dc.date.accessioned | 2025-11-21T07:00:09Z | |
| dc.date.available | 2025-11-21T07:00:09Z | |
| dc.date.issued | 2025-11-15 | |
| dc.department | Işık Üniversitesi, Lisansüstü Eğitim Enstitüsü, Siber Güvenlik Yüksek Lisans Programı | en_US |
| dc.department | Işık University, School of Graduate Studies, Master’s Program in Cybersecurity | en_US |
| dc.department | Işık Üniversitesi, Mühendislik ve Doğa Bilimleri Fakültesi, Bilgisayar Mühendisliği Bölümü | en_US |
| dc.department | Işık University, Faculty of Engineering and Natural Sciences, Department of Computer Engineering | en_US |
| dc.description.abstract | Password hashes and key derivation functions (KDFs) are central to authentication and cryptographic security schemes crafted to defend user credentials from brute-force attacks and unauthorized access. Password hashing algorithms, for example PBKDF2, bcrypt, or scrypt, are very popular today, but are lacking in the face of modern hardware acceleration, parallel processing, and advanced cryptanalytic attacks. To contest these shortcomings, the Password Hashing Competition (PHC) was started in 2013 and had 22 candidates for functions for hashing passwords. After thorough evaluation, 9 finalists were selected based on how secure, fast, memory-friendly, flexible, and efficient these functions were. This study evaluates the nine PHC finalists—Argon2, battcrypt, Catena, Lyra2, MAKWA, Parallel, POMELO, Pufferfish, and yescrypt—through survey findings and performance benchmarks. We have evaluated these functions from an architectural standpoint and studied their security features, memory hardness, performance tradeoff, and practical usage. We also compare these finalists with traditional password hashing functions to highlight their advantages and limitations. We also investigate the post-quantum assumption for password hashing – the effectiveness of these functions against quantum assaults, their position in a new cryptography set, and the role of peppering as an additional security measure. In addition, we perform a comprehensive compliance mapping of the PHC finalists against major global standards and regulations such as NIST SP 800-63B, OWASP ASVS, PCI DSS, GDPR, KVKK, and ISO/IEC 27001, highlighting their practical suitability for secure deployment in regulated environments. Finally, we provide usage recommendations for these functions for web authentication, KDFs, and embedded platforms. This paper serves as a reference for researchers, developers, and security engineers, while also introducing a complianceaware, post-quantum-ready framework that bridges cryptographic design with regulatory and deployment needs. | en_US |
| dc.description.version | Publisher's Version | en_US |
| dc.identifier.citation | Ulutaş, E. & Çeliktaş, B. (2025). Evaluation of password hashing competition finalists: performance, security, compliance mapping, and post-quantum readiness. Black Sea Journal of Engineering and Science, 8(6), 1841-1855. doi:https://doi.org/10.34248/bsengineering.1670109 | en_US |
| dc.identifier.doi | 10.34248/bsengineering.1670109 | |
| dc.identifier.endpage | 1855 | |
| dc.identifier.issn | 2619 – 8991 | |
| dc.identifier.issue | 6 | |
| dc.identifier.startpage | 1841 | |
| dc.identifier.trdizinid | 1359469 | |
| dc.identifier.uri | https://hdl.handle.net/11729/6788 | |
| dc.identifier.uri | https://doi.org/10.34248/bsengineering.1670109 | |
| dc.identifier.uri | https://search.trdizin.gov.tr/tr/yayin/detay/1359469 | |
| dc.identifier.volume | 8 | |
| dc.indekslendigikaynak | TR-Dizin | en_US |
| dc.indekslendigikaynak | Sobiad | en_US |
| dc.institutionauthor | Ulutaş, Erdem | en_US |
| dc.institutionauthor | Çeliktaş, Barış | en_US |
| dc.institutionauthorid | 0009-0007-4263-5396 | |
| dc.institutionauthorid | 0000-0003-2865-6370 | |
| dc.language.iso | en | en_US |
| dc.peerreviewed | Yes | en_US |
| dc.publicationstatus | Published | en_US |
| dc.publisher | Karyay Karadeniz Yayımcılık Ve Organizasyon Ticaret Limited Şirketi | en_US |
| dc.relation.ispartof | Black Sea Journal of Engineering and Science | en_US |
| dc.relation.publicationcategory | Makale - Ulusal Hakemli Dergi - Öğrenci | en_US |
| dc.relation.publicationcategory | Makale - Ulusal Hakemli Dergi - Kurum Öğretim Elemanı | en_US |
| dc.rights | info:eu-repo/semantics/openAccess | en_US |
| dc.subject | Password hashing | en_US |
| dc.subject | Key derivation | en_US |
| dc.subject | Security | en_US |
| dc.subject | Performance | en_US |
| dc.subject | Quantum resistance | en_US |
| dc.subject | Compliance | en_US |
| dc.title | Evaluation of password hashing competition finalists: performance, security, compliance mapping, and post-quantum readiness | en_US |
| dc.type | Article | en_US |
| dspace.entity.type | Publication | en_US |
Dosyalar
Orijinal paket
1 - 1 / 1
Yükleniyor...
- İsim:
- Evaluation_of_password_hashing_competition_finalists_performance_security_compliance_mapping_and_post_quantum_readiness.pdf
- Boyut:
- 727.15 KB
- Biçim:
- Adobe Portable Document Format
Lisans paketi
1 - 1 / 1
Küçük Resim Yok
- İsim:
- license.txt
- Boyut:
- 1.17 KB
- Biçim:
- Item-specific license agreed upon to submission
- Açıklama:
