External report (Reports)
Argon and Argon2
Biryukov, Alex; Dinu, Dumitru-Daniel; Khovratovich, Dmitry
2015
 

Files


Full Text
Argon.pdf
Author preprint (564.62 kB)
Download

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
password; hashing; competition; memory-hard; proof-of-work; tradeoff cryptanalysis
Abstract :
[en] This is a design specification for the functions Argon and Argon2 for the international password hashing competition (PHC), 2013-2015. Argon is our original submission to PHC. It is a multipurpose hash function, that is optimized for highest resilience against tradeoff attacks, so that any, even small memory reduction would lead to significant time and computational penalties. Argon can be used for password hashing, key derivation, or any other memory-hard computation (e.g., for cryptocurrencies). Argon2 summarizes the state of the art in the design of memory-hard functions. It is a streamlined and simple design. It aims at the highest memoryfilling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks. Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors. Argon2 has two variants: Argon2d and Argon2i. Argon2d is faster and uses data-depending memory access, which makes it suitable for cryptocurrencies and applications with no threats from side-channel timing attacks. Argon2i uses data-independent memory access, which is preferred for password hashing and password based key derivation. Argon2i is slower as it makes more passes over the memory to protect from tradeoff attacks. We recommend Argon for the applications that aim for the highest tradeoff resilience and want to guarantee prohibitive time and computational penalties on any memory-reducing implementation. According to our cryptanalytic algorithms, an attempt to use half of the requested memory (for instance, 64 MB instead of 128 MB) results in the speed penalty factor of 140 and in the penalty 218. The penalty grows exponentially as the available memory decreases, which effectively prohibits the adversary to use any smaller amount of memory. Such high computational penalties are a unique feature of Argon. We recommend Argon2 for the applications that aim for high performance. Both versions of Argon2 allow to fill 1 GB of RAM in a fraction of second, and smaller amounts even faster. It scales easily to the arbitrary number of parallel computing units. Its design is also optimized for clarity to ease analysis and implementation.
Disciplines :
Computer science
Author, co-author :
Biryukov, Alex ;  University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Dinu, Dumitru-Daniel ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Khovratovich, Dmitry ;  University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Language :
English
Title :
Argon and Argon2
Publication date :
January 2015
Publisher :
Password Hashing Competition (PHC)
Number of pages :
37
Available on ORBilu :
since 02 February 2015

Statistics


Number of views
635 (14 by Unilu)
Number of downloads
811 (13 by Unilu)

Bibliography


Similar publications



Contact ORBilu