Difference between revisions of "Argon2"

From CryptoLUX
Jump to: navigation, search
(Specification)
(Egalitarian Computing)
 
(18 intermediate revisions by 2 users not shown)
Line 5: Line 5:
 
==Modes==
 
==Modes==
  
'''Argon2''' has two variants: '''Argon2d''' and '''Argon2i'''. '''Argon2d''' is faster and uses data-depending memory access, which makes it suitable for cryptocurrencies and applications with no threats from side-channel timing attacks. '''Argon2i''' uses data-independent memory access, which is preferred for password hashing and password-based key derivation. '''Argon2i''' is slower as it makes more passes over the memory to protect from tradeoff attacks. It summarizes the research our group has done in the concept of memory-hard functions and uses a number of novel ideas to achieve very high performance.
+
'''Argon2''' has one primary variant: '''Argon2id''', and two supplementary variants: '''Argon2d''' and
 +
Argon2i. '''Argon2d''' uses data-depending memory
 +
access, which makes it suitable for cryptocurrencies and
 +
proof-of-work applications with no threats from side-channel
 +
timing attacks. '''Argon2i''' uses data-independent memory access,
 +
which is preferred for password hashing and password-based key
 +
derivation. '''Argon2id''' works as '''Argon2i''' for the first half of the first iteration over the
 +
memory, and as '''Argon2d''' for the rest, thus providing both side-channel attack protection and
 +
brute-force cost savings due to time-memory tradeoffs. '''Argon2i''' makes more passes over the
 +
memory to protect from tradeoff attacks.
  
 
==Winner of PHC==
 
==Winner of PHC==
  
Argon2 (version 1.3) is the winner of the [http://password-hashing.net Password Hashing Competition]. In addition to the PHC release, the Argon2 specification also defines two specific modes '''Argon2id''' and '''Argon2ds'''.
+
Argon2 (version 1.3) is the winner of the [http://password-hashing.net Password Hashing Competition].
  
 
==Specification==
 
==Specification==
  
[[Media:Argon2.pdf | Specification of Argon2]]
+
[[Media:Argon2.pdf | Specification of Argon2 v 1.3 (24.03.2017)]]
[[Media:Draft-irtf-cfrg-argon2.txt | IRTF draft of Argon2]]
+
 
 +
 
 +
 
 +
[https://tools.ietf.org/html/draft-irtf-cfrg-argon2-02  IRTF draft of Argon2] (25.03.2017)
  
 
==Implementations==
 
==Implementations==
  
[https://github.com/khovratovich/Argon2 Reference and optimized extended implementations in C99 and C++11]
+
[https://github.com/P-H-C/phc-winner-argon2 Reference implementation in C89 (''PHC release'')]
  
[https://github.com/P-H-C/phc-winner-argon2 Reference implementation in C89 (''PHC release'')]
+
[https://github.com/P-H-C/phc-winner-argon2/blob/master/README.md Links to bindings in other languages]
  
[https://github.com/bwesterb/argon2pure Python implementation]
+
[https://github.com/khovratovich/Argon2 Original implementations in C99 and C++11]
  
 
==Research==
 
==Research==
  
[http://eprint.iacr.org/2015/430.pdf Research paper "Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing"]. Introduces Argon2 and its fast-verification feature.
+
===Design===
 +
[[Media:Argon2ESP.pdf | A. Biryukov, D. Dinu, and D. Khovratovich "Argon2, new generation of memory-hard functions for password hashing and other applications"]], Euro S&P 2016. ''If you need to cite Argon2:'' [[Media:BiryukovDK16-1.bib.txt| BibTex]]
 +
 
 +
[http://eprint.iacr.org/2015/430.pdf A. Biryukov and D. Khovratovich "Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing"]. Introduces Argon2 and its fast-verification feature.
 +
 
 +
[[Media:PHC-overview.pdf | A. Biryukov and D. Khovratovich "Design Rationality and Security Analysis of PHC Candidates: Overview"]]
 +
 
 +
===Attacks===
 +
 
 +
[http://eprint.iacr.org/2016/759.pdf  J. Alwen and J. Blocki, "Towards Practical Attacks on Argon2i and Balloon Hashing"] (e-print, 2016)
  
[[Media:PHC-overview.pdf | Design Rationality and Security Analysis of PHC Candidates: Overview]]
+
[http://eprint.iacr.org/2016/115.pdf J. Alwen and J. Blocki, "Efficiently Computing Data-Independent Memory-Hard Functions" (Crypto 2016)]
  
[http://eprint.iacr.org/2015/227.pdf  Research paper "Tradeoff cryptanalysis of memory-hard functions" (Asiacrypt 2015)], [[Media:Tradeoffs.pdf | Talk at PasswordsCon'14]], [[Media:Tradeoff-slides.pdf | extended version]],  
+
[http://eprint.iacr.org/2015/227.pdf  A. Biryukov and D. Khovratovich, "Tradeoff cryptanalysis of memory-hard functions" (Asiacrypt 2015)], [[Media:Tradeoffs.pdf | Talk at PasswordsCon'14]], [[Media:Tradeoff-slides.pdf | extended version]],
  
 +
===Argon1 (deprecated)===
 
[[Media:Argon-slides.pdf | Argon1 Presentation Slides]]
 
[[Media:Argon-slides.pdf | Argon1 Presentation Slides]]
  
 
[[Media:Argon-v1.pdf | Argon1 Reference Guide]]
 
[[Media:Argon-v1.pdf | Argon1 Reference Guide]]
 +
 +
[https://github.com/khovratovich/Argon Reference and optimized implementations of Argon1]
  
 
==Other resources==
 
==Other resources==
Line 42: Line 66:
 
[https://github.com/xebia/argon2-go Go wrapper]
 
[https://github.com/xebia/argon2-go Go wrapper]
  
[https://github.com/khovratovich/Argon Reference and optimized implementations of Argon1]
 
  
 
=Egalitarian Computing=
 
=Egalitarian Computing=
Line 48: Line 71:
 
It is a new concept that to remedy the disparity between hardware-equipped attackers and legitimate security engineers one has to amalgamate computing for security with a memory-hard function.
 
It is a new concept that to remedy the disparity between hardware-equipped attackers and legitimate security engineers one has to amalgamate computing for security with a memory-hard function.
  
[[Media:Rwc-slides.pdf | "Argon2 and Egalitarian Computing" at Real World Cryptography 2016]]‎
+
[[Media:Egalitarian.pdf | Alex Biryukov, Dmitry Khovratovich: Egalitarian Computing]] USENIX Security Symposium 2016: 315-326 [http://orbilu.uni.lu/handle/10993/27654 (abstract, PDF)]
  
[[Media:Egalitarian-rump.pdf | Asiacrypt 2015 rump session slides]]
+
"Argon2 and Egalitarian Computing" at Real World Cryptography 2016 [[Media:Rwc-slides.pdf | (slides)]]‎
 +
Asiacrypt 2015 rump session [[Media:Egalitarian-rump.pdf |(slides)]]

Latest revision as of 22:07, 17 May 2017

Argon2

Argon2 is a new hash function, which summarizes the state of the art in the design of memory-hard functions. It is a streamlined and simple design. It aims at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks. Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors.

Modes

Argon2 has one primary variant: Argon2id, and two supplementary variants: Argon2d and Argon2i. Argon2d uses data-depending memory access, which makes it suitable for cryptocurrencies and proof-of-work applications with no threats from side-channel timing attacks. Argon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation. Argon2id works as Argon2i for the first half of the first iteration over the memory, and as Argon2d for the rest, thus providing both side-channel attack protection and brute-force cost savings due to time-memory tradeoffs. Argon2i makes more passes over the memory to protect from tradeoff attacks.

Winner of PHC

Argon2 (version 1.3) is the winner of the Password Hashing Competition.

Specification

Specification of Argon2 v 1.3 (24.03.2017)


IRTF draft of Argon2 (25.03.2017)

Implementations

Reference implementation in C89 (PHC release)

Links to bindings in other languages

Original implementations in C99 and C++11

Research

Design

A. Biryukov, D. Dinu, and D. Khovratovich "Argon2, new generation of memory-hard functions for password hashing and other applications", Euro S&P 2016. If you need to cite Argon2: BibTex

A. Biryukov and D. Khovratovich "Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing". Introduces Argon2 and its fast-verification feature.

A. Biryukov and D. Khovratovich "Design Rationality and Security Analysis of PHC Candidates: Overview"

Attacks

J. Alwen and J. Blocki, "Towards Practical Attacks on Argon2i and Balloon Hashing" (e-print, 2016)

J. Alwen and J. Blocki, "Efficiently Computing Data-Independent Memory-Hard Functions" (Crypto 2016)

A. Biryukov and D. Khovratovich, "Tradeoff cryptanalysis of memory-hard functions" (Asiacrypt 2015), Talk at PasswordsCon'14, extended version,

Argon1 (deprecated)

Argon1 Presentation Slides

Argon1 Reference Guide

Reference and optimized implementations of Argon1

Other resources

Online hash generator

Go wrapper


Egalitarian Computing

It is a new concept that to remedy the disparity between hardware-equipped attackers and legitimate security engineers one has to amalgamate computing for security with a memory-hard function.

Alex Biryukov, Dmitry Khovratovich: Egalitarian Computing USENIX Security Symposium 2016: 315-326 (abstract, PDF)

"Argon2 and Egalitarian Computing" at Real World Cryptography 2016 (slides)‎ Asiacrypt 2015 rump session (slides)