Argon 2

Argon2 is a password hashing process that, in addition to authentication, can also be used for key derivation and for crypto currencies . The algorithm was presented in 2014 by Alex Biryukov, Daniel Dinu and Dmitry Khovratovich from the University of Luxembourg and won the Password Hashing Competition in 2015 . Argon2 is memory-intensive and optimized for the x86 architecture . A core function is a parallelism that prevents time-memory tradeoffs .

background

Password hashing is a method of extracting a cryptographic key from a password for encryption or to save a password for an authentication process. Previous methods for this, such as bcrypt or PBKDF2, have proven to be very susceptible to attacks with specialized hardware ( custom hardware attacks ), with which password lists in particular can be tried out within a short time. A first alternative was the Scrypt method , published in 2010 , which is, however, very complicated to implement, which makes cryptanalysis difficult. In 2013, the Password Hashing Competition was launched to promote research into password hashing and to suggest an algorithm for use.

history

In 2014, the argon process was submitted to the Password Hashing Competition. Argon was based on the AES instruction instructions of the processor and thus achieved a fast execution that could not be significantly exceeded even by specialized hardware.

On January 31, 2015 (Paper v2 p. 34), the Argon2 process was presented in addition to a modification of argon. Argon2 dispenses with AES command instructions and is instead based on the hash function Blake2b . Since this new procedure was submitted during the second phase of the Password Hashing Competition , in which only minor changes ( tweaks ) were actually allowed, its approval had to be expressly decided by the committee of the Password Hashing Competition. On July 20, 2015, Argon2 was finally declared the winner of the selection process.

structure

Argon2 creates a large vector in the working memory , which is structured as a matrix to enable synchronized parallelism. The accesses to the vector ensure that it is only possible to dispense with keeping this vector completely in the main memory in favor of a much longer runtime. This prevents the algorithm from being executed much faster by specialized hardware ( ASICs and others) that have little memory than on a PC or server. To do this, the indexing function calculates the indices of the vector that are being accessed. In the case of Argon2i, it is independent of password and Salt, but slower than Argon2d and can therefore only calculate a smaller vector in the same time.

Argon2 used

an internal compression function G with two 1024-byte inputs and one 1024-byte output: G is built up from the round function P from Blake2b and comprises only one round
an internal hash function H (Blake2b)

The compression function G, the hash function H, the block length and the number of slices are basically interchangeable, but these are specified in the reference implementation of Argon2.

Concrete instances

Argon2d can better prevent attacks with specialized hardware, but it is vulnerable to cache timing attacks. The authors suggest this variant for cryptocurrencies and backend servers.

Argon2i is suitable for scenarios where an attacker might have access to the CPU where Argon2 is running. The authors suggest password hashing and key derivation as areas of application. In an internet draft from August 2017, the Argon2id variant was recommended for these scenarios.

Argon2i and Argon2d differ in the way in which the indices of the vector are calculated: Argon2d calculates the indices depending on the password and salt, Argon2i calculates the indices independently of the password and salt (depending on public input parameters if necessary).

With version v1.2.1 from February 2016, the Argon2id instance was introduced as an optional instance in which both instances are combined. In terms of vulnerability with cache timing attacks, this variant has a hybrid structure, similar to the Lyra2 and Pomelo methods.

Recommended parameters

The choice of parameters depends on the system on which Argon2 is running. The authors do not set any standard parameters.

Main memory m: as high as possible and tolerable
Time t: as high as possible and tolerable
Parallelism p: Double the number of processor cores
Length of salt (at least 128 bits) and tag (at least 128 bits)

For certain applications, the authors suggest the following values for computing time and memory requirements:

Argon2d for crypto currencies: 0.1 s, with one core (p = 2), 256 MB RAM
Argon2d for backend server authentication: 0.5 s, with 4 cores (p = 8), 4 GB RAM
Argon2i for key derivation for hard disk encryption: 3s, with 2 cores (p = 4), 6 GB RAM
Argon2i for front-end server authentication: 0.5 s, with 2 cores (p = 4), 1 GB RAM.

safety

In January 2016, a cryptanalysis of the Argon2i variant was published, which allows execution with less main memory (factor 2.72 - 4) with the same computing time. Version 1.3, published in 2017, was a response to this analysis.

In August 2016, Joël Alwen and Jeremiah Blocki extended their previously published attack to the new version of Argon2i. They were able to show that their attack could, under certain assumptions about future hardware, drastically reduce the energy complexity of Argon2i without parallelism (p = 1).

So far, no practicable attack has been published on the variant Argon2d or the hybrid form Argon2id.

License

Argon2 is available under CC0, i.e. under public domain (also explicitly listed on the PHC site as of 2020-02-12, see links)

Web links

Argon2 on the side of Password Hashing Competition (English)
Reference implementation of Argon2
IETF Draft to Argon2 (English)

Individual evidence

↑ Oliver Lau: Argon2 wins password hashing competition. In: Heise Security. Heise Medien GmbH & Co. KG, July 27, 2015, accessed on April 8, 2019 .
↑ Eric L. Barnes: Laravel 5.6 will Support the Argon2i Password Hashing Algorithm. In: Laravel News. January 26, 2018, accessed April 8, 2019 .
↑ Hanno Böck: hash function Argon2 wins competition. In: golem.de. Golem Media GmbH, July 27, 2015, accessed on April 8, 2019 .
↑ The memory-hard Argon2 password hash and proof-of-work function Internet Draft for Argon2. Retrieved September 28, 2018
↑ Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns Introducing the Balloon Hashing and Cryptanalysis of Argon2. Retrieved September 28, 2018 (PDF)
↑ Argon2: the memory-hard function for password hashing and other applications Presentation of version 1.3 of Argon2. Retrieved September 28, 2018 (PDF)
↑ Towards Practical Attacks on Argon2i and Balloon hashing attack on Balloon hashing and Argon2. Retrieved on May 2, 2020 (PDF)

[1] Oliver Lau: Argon2 wins password hashing competition. In: Heise Security. Heise Medien GmbH & Co. KG, July 27, 2015, accessed on April 8, 2019 .

[2] Eric L. Barnes: Laravel 5.6 will Support the Argon2i Password Hashing Algorithm. In: Laravel News. January 26, 2018, accessed April 8, 2019 .

[3] Hanno Böck: hash function Argon2 wins competition. In: golem.de. Golem Media GmbH, July 27, 2015, accessed on April 8, 2019 .

[4] The memory-hard Argon2 password hash and proof-of-work function Internet Draft for Argon2. Retrieved September 28, 2018

[5] Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns Introducing the Balloon Hashing and Cryptanalysis of Argon2. Retrieved September 28, 2018 (PDF)

[Argon2_v1.3-6] Argon2: the memory-hard function for password hashing and other applications Presentation of version 1.3 of Argon2. Retrieved September 28, 2018 (PDF)

[7] Towards Practical Attacks on Argon2i and Balloon hashing attack on Balloon hashing and Argon2. Retrieved on May 2, 2020 (PDF)