Argon2
Argon2 is a key derivation function that was selected as the winner of the Password Hashing Competition in July 2015.[1][2] It was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.[3] Argon2 is released under a Creative Commons CC0 license, and provides three related versions:
- Argon2d maximizes resistance to GPU cracking attacks.
- Argon2i is optimized to resist side-channel attacks.
- Argon2id is a hybrid version out of Argon2d and Argon2i.
All three allow specification by three parameters that control:
- execution time
- memory required
- degree of parallelism
Cryptanalysis
While there is no public cryptanalysis applicable to Argon2d, there are two published attacks on the Argon2i function.
The first attack shows that it is possible to compute a single-pass Argon2i function using between a quarter and a fifth of the desired space with no time penalty, and compute a multiple-pass Argon2i using only N/e < N/2.71 space with no time penalty.[4] According to the Argon2 authors, this attack vector was fixed in version 1.3.[5]
The second attack shows that Argon2i can be computed by an algorithm which has complexity O(n7/4 log(n)) for all choices of parameters σ (space cost), τ (time cost), and thread-count such that n=σ∗τ.[6] The Argon2 authors claim that this attack is not efficient if Argon2i is used with three or more passes.[5] However, Joël Alwen and Jeremiah Blocki improved the attack and showed that in order for the attack to fail, Argon2i 1.3 needs more than 10 passes over memory.[7] Nevertheless the Argon2 engineers do not recommend that user implementations of Argon2 adjust the number of passes to be 10 or more.[8]
External links
References
- ↑ "Password Hashing Competition"
- ↑ Jos Wetzels (2016-02-08). "Open Sesame: The Password Hashing Competition and Argon2" (PDF).
- ↑ Argon2: the memory-hard function for password hashing and other applications, Alex Biryukov, et al, October 1, 2015
- ↑ Henry Corrigan-Gibbs, Dan Boneh, Stuart Schechter (2016-01-14). "Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns" (PDF).
- 1 2 "[Cfrg] Argon2 v.1.3". www.ietf.org. Retrieved 2016-10-30.
- ↑ Joel Alwen, Jeremiah Blocki (2016-02-19). "Efficiently Computing Data-Independent Memory-Hard Functions" (PDF).
- ↑ Joël Alwen, Jeremiah Blocki (2016-08-05). "Towards Practical Attacks on Argon2i and Balloon Hashing" (PDF).
- ↑ Khovratovich, Dmitry (2016-12-29). "Blocki and Alwen's second attack #182". GitHub. Retrieved 22 February 2017.