PBKDF2 [1] is a well-known password-based key derivation function. In order to slow attackers down, PBKDF2 introduces CPU-intensive operations based on an iterated pseudorandom function (in our case HMAC-SHA-1). If we are able to speed up a SHA-1 or an HMAC implementation, we are able to speed up PBKDF2-HMAC-SHA-1. This means that a performance improvement might be exploited by regular users and attackers. Interestingly, FIPS 198-1 [2] suggests that it is possible to precompute first message block of a keyed hash function only once, store such a value and use it each time is needed [3] . Therefore the computation of first message block does not contribute to slowing attackers down, thus making the computation of second message block crucial. In this paper we focus on the latter, investigating the possibility to avoid part of the HMAC-SHA-1 operations. We show that some CPU-intensive operations may be replaced with a set of equivalent, but less onerous, instructions. We identify useless XOR operations exploiting and extending Intel optimizations [4] , and applying the Boyar-Peralta heuristic [5] . In addition, we provide an alternative method to compute the SHA-1 message scheduling function and explain why attackers might exploit these findings to speed up a brute force attack against PBKDF2.

中文翻译：

---

利用 HMAC-SHA-1 优化来加速 PBKDF2

PBKDF2 [1]是众所周知的基于密码的密钥派生函数。为了减缓攻击者的速度，PBKDF2 引入了基于迭代伪随机函数（在我们的例子中为 HMAC-SHA-1）的 CPU 密集型操作。如果我们能够加速 SHA-1 或 HMAC 实现，我们就能加速 PBKDF2-HMAC-SHA-1。这意味着普通用户和攻击者可能会利用性能改进。有趣的是，FIPS 198-1[2] 建议可以只预先计算键控散列函数的第一个消息块一次，存储这样的值并在每次需要时使用它 [3]. 因此，第一个消息块的计算无助于减慢攻击者的速度，从而使第二个消息块的计算变得至关重要。在本文中，我们关注后者，研究避免部分 HMAC-SHA-1 操作的可能性。我们展示了一些 CPU 密集型操作可以用一组等效但不那么繁重的指令代替。我们识别出利用和扩展英特尔优化的无用 XOR 操作[4] ，并应用 Boyar-Peralta 启发式 [5]. 此外，我们提供了一种计算 SHA-1 消息调度函数的替代方法，并解释了为什么攻击者可能会利用这些发现来加速对 PBKDF2 的暴力攻击。