Argon2 is a new hash function, which summarizes the state of the art in the design of memory-hard functions. It is a streamlined and simple design. It aims at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks. Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors.
Argon2 has one primary variant: Argon2id, and two supplementary variants: Argon2d and Argon2i. Argon2d uses data-depending memory access, which makes it suitable for cryptocurrencies and proof-of-work applications with no threats from side-channel timing attacks. Argon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation. Argon2id works as Argon2i for the first half of the first iteration over the memory, and as Argon2d for the rest, thus providing both side-channel attack protection and brute-force cost savings due to time-memory tradeoffs. Argon2i makes more passes over the memory to protect from tradeoff attacks.
Winner of PHC
Argon2 (version 1.3) is the winner of the Password Hashing Competition.
IRTF draft of Argon2 (25.03.2017)
A. Biryukov, D. Dinu, and D. Khovratovich "Argon2, new generation of memory-hard functions for password hashing and other applications", Euro S&P 2016. If you need to cite Argon2: BibTex
A. Biryukov and D. Khovratovich "Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing". Introduces Argon2 and its fast-verification feature.
It is a new concept that to remedy the disparity between hardware-equipped attackers and legitimate security engineers one has to amalgamate computing for security with a memory-hard function.
Alex Biryukov, Dmitry Khovratovich: Egalitarian Computing USENIX Security Symposium 2016: 315-326 (abstract, PDF)