From CryptoLUX
Jump to: navigation, search
We offer a new password hashing scheme called Argon2, which is optimized for security, clarity, and efficiency. 
It supersedes our previous PHC submission Argon in all aspects, especially speed.

Argon2 is a new hash function, which summarizes the state of the art in the design of memory-hard functions. It is a streamlined and simple design. It aims at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks. Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors. Argon2 has two variants: Argon2d and Argon2i. Argon2d is faster and uses data-depending memory access, which makes it suitable for cryptocurrencies and applications with no threats from side-channel timing attacks. Argon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation. Argon2i is slower as it makes more passes over the memory to protect from tradeoff attacks. It summarizes the research our group has done in the concept of memory-hard functions and uses a number of novel ideas to achieve very high performance.

Argon renders the tradeoff attacks and thus the architecture switch highly inefficient. It can be used for password hashing, key derivation, or any other memory-hard computation (e.g., for cryptocurrencies).

Argon is simple. It uses the AES round function as the only external crypto primitive, and uses only XORs and block permutations as internal operations. Every operation is motivated by a certain goal.

Argon is secure. It is secure as a hash function, being a pseudorandom function of the salt. It is also secure against tradeoffs. According to our cryptanalytic algorithms, saving half of memory results in the speed penalty factor of 90 and higher. The penalty grows exponentially as the available memory decreases, which effectively prohibits the adversary to use any smaller amount of memory.

Argon is scalable. It may occupy any integer number of KBytes, and its performance depends strongly linearly on the memory use. Unlike some other schemes the total memory does not have to be a power of two. Argon is also efficient and can be parallelized on up to 32 threads/cores that share the same memory.

Being so demanding with regard to memory, the use of Argon guarantees that an adversary would have to use exactly the same hardware as the authentication server does. This allows a protocol designer to calculate the attack and defense costs easily and compute a secure set of parameters for Argon.

Reference and optimized implementations of Argon v.1

Design Rationality and Security Analysis of PHC Candidates: Overview

"Tradeoff cryptanalysis of password hashing schemes" -- Talk at PasswordsCon'14, extended version

Argon Presentation Slides

Reference and optimized implementations of Argon2

Research paper "Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing". Introduces Argon2 and its fast-verification feature.

Specification of Argon2

Tradeoff attack on yescrypt

Argon v1 Reference Guide

Argon v0 Reference Guide