Scrypt is a password-based key derivation function used in many storage security applications. Scrypt is based on a memory-hard structure that is resistant to brute force attacks using specialized hardware. The security of the scrypt function depends mainly on cryptographic algorithms that are part of the memory-hard structure Salsa20/8 and SHA256. This article shows how to customize the scrypt function with new cryptographic algorithms such as ChaCha20 and SHA-3 to improve the security of the custom scrypt function, thereby combining with the AES algorithm to apply for encryption and decrypt stored data with reasonable time. The goal of the solution is to create a more secure commented key derivation function in near-equivalent performance, in acceptable time, to secure the stored data. The results are proven based on the comparison of theoretical and experimental basis in C/C++ programming language. The results of analysis and experiment show that the solution is good to apply data storage security in practice.

[1] C. Percival and S. Josefsson, The scrypt Password-Based Key Derivation Function, RFC 7914, August 2016.

[2] C. Percival, Stronger key derivation via sequential memory-hard functions, University of California, Santa Barbara, 2009.

[3] J. Alwen, B. Chen, K. Pietrzak, L. Reyzin, and S. Tessaro, “Scrypt Is Maximally Memory-Hard,” EUROCRYPT 2017, Part III, LNCS 10212, 2017, pp. 33–62.

[4] B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, RFC 2898, September 2000.

[5] D. J. Bernstein, ChaCha, a variant of Salsa20, The University of Illinois at Chicago, Chicago-USA, 2008.

[6] P. Yadav, I. Gupta, and S. K. Murthy, "Study and analysis of eSTREAM cipher Salsa and ChaCha," 2016 IEEE International Conference on Engineering and Technology (ICETECH), 2016, pp. 90-94, doi: 10.1109/ICETECH.2016.7569218.

[7] S. Miyashita, R. Ito, and A. Miyaji, "PNB-based Differential Cryptanalysis of ChaCha Stream Cipher," Cryptology ePrint Archive, 2021, Art. no. 1537.

[8] M. Coutinho and T. C. S. Neto, "Improved Linear Approximations to ARX ciphers and attacks against ChaCha." Cryptology ePrint Archive, 2021, Art. no.224.

[9] KDDI Research Inc., Security Analysis of ChaCha20-Poly1305, CRYPTREC-EX-2601-2016, 2017.

[10] P. McLaren, W. J. Buchanan, G. Russell, and Z. Tan, “Deriving ChaCha20 key streams from targeted memory analysis,” Journal of Information Security and Applications, vol. 48, 2019, Art. no. 102372.

[11] National Institute of Standards and Technology (NIST), FIPS 202: Sha-3 Standard: Permutation-Based Hash And Extendable Output Functions, August 2015.

[12] N. Bagheri, N. Ghaedi, and S. K. Sanadhya, “Differential Fault Analysis of SHA-3,” in Progress in Cryptology -- INDOCRYPT 2015, Lecture Notes in Computer Science, A. Biryukov and V Goyal (eds), vol. 9462, pp. 253–269, 2015, doi: 10.1007/978-3-319-26617-6_14.

[13] S. Nakov, Practical Cryptography for Developers, SoftUni, 2018.