Argon2 is a
key derivation function
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cr ...
that was selected as the winner of the 2015
Password Hashing Competition
The Password Hashing Competition was an open competition announced in 2013 to select one or more password hash functions that can be recognized as a recommended standard. It was modeled after the successful Advanced Encryption Standard process an ...
. It was designed by
Alex Biryukov
Alex Biryukov () is a cryptographer, currently a full professor at the University of Luxembourg.
Biography
His notable work includes the design of the stream cipher LEX, as well as the cryptanalysis of numerous cryptographic primitives. In 1998, ...
, Daniel Dinu, and
Dmitry Khovratovich
Dmitry Khovratovich is a Russian cryptographer, currently a Lead Cryptographer for the Dusk Network, researcher for the Ethereum Foundation, and member of the International Association for Cryptologic Research.
Biography
Khovratovich, together w ...
from the
University of Luxembourg
The University of Luxembourg (French language, French: ''Université du Luxembourg''; German language, German: ''Universität Luxemburg''; Luxembourgish language, Luxembourgish: ''Universitéit Lëtzebuerg'') is a Public university, public researc ...
. The reference implementation of Argon2 is released under a
Creative Commons CC0
A Creative Commons (CC) license is one of several public copyright licenses that enable the free distribution of an otherwise copyrighted "work". A CC license is used when an author wants to give other people the right to share, use, and bui ...
license (i.e.
public domain
The public domain (PD) consists of all the creative work to which no Exclusive exclusive intellectual property rights apply. Those rights may have expired, been forfeited, expressly Waiver, waived, or may be inapplicable. Because no one holds ...
) or the
Apache License 2.0, and provides three related versions:
*Argon2d maximizes resistance to GPU
cracking attacks. It accesses the memory array in a password dependent order, which reduces the possibility of
time–memory trade-off (TMTO) attacks, but introduces possible
side-channel attack
In computer security, a side-channel attack is a type of security exploit that leverages information inadvertently leaked by a system—such as timing, power consumption, or electromagnetic or acoustic emissions—to gain unauthorized access to ...
s.
*Argon2i is optimized to resist side-channel attacks. It accesses the memory array in a password independent order.
*Argon2id is a hybrid version. It follows the Argon2i approach for the first half pass over memory and the Argon2d approach for subsequent passes. recommends using Argon2id if you do not know the difference between the types or you consider side-channel attacks to be a viable threat.
All three modes allow specification by three parameters that control:
*execution time
*memory required
*degree of parallelism
Cryptanalysis
While there is no public
cryptanalysis
Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
applicable to Argon2d, there are two published attacks on the Argon2i function. The first attack is applicable only to the old version of Argon2i, while the second has been extended to the latest version (1.3).
The first attack shows that it is possible to compute a single-pass Argon2i function using between a quarter and a fifth of the desired space with no time penalty, and compute a multiple-pass Argon2i using only / (≈ /2.72) space with no time penalty. According to the Argon2 authors, this attack vector was fixed in version 1.3.
The second attack shows that Argon2i can be computed by an algorithm which has complexity O(
7/4 log()) for all choices of parameters (space cost), (time cost), and thread-count such that =∗. The Argon2 authors claim that this attack is not efficient if Argon2i is used with three or more passes.
However, Joël Alwen and Jeremiah Blocki improved the attack and showed that in order for the attack to fail, Argon2i v1.3 needs more than 10 passes over memory.
To address these concerns, RFC9106 recommends using Argon2id to largely mitigate such attacks.
Algorithm
Source:
Function Argon2
Inputs:
password (P): Bytes (0..2
32-1)
Password (or message) to be hashed
salt (S): Bytes (8..2
32-1)
Salt (16 bytes recommended for password hashing)
parallelism (p): Number (1..2
24-1)
Degree of parallelism (i.e. number of threads)
tagLength (T): Number (4..2
32-1)
Desired number of returned bytes
memorySizeKB (m): Number (8p..2
32-1)
Amount of memory (in kibibytes
The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable uni ...
) to use
iterations (t): Number (1..2
32-1)
Number of iterations to perform
version (v): Number (0x13)
The current version is 0x13 (19 decimal)
key (K): Bytes (0..2
32-1)
Optional key (Errata: PDF says 0..32 bytes, RFC says 0..232 bytes)
associatedData (X): Bytes (0..2
32-1)
Optional arbitrary extra data
hashType (y): Number (0=Argon2d, 1=Argon2i, 2=Argon2id)
Output:
tag: Bytes (tagLength)
The resulting generated bytes, tagLength bytes long
''Generate initial 64-byte block H0.''
All the input parameters are concatenated and input as a source of additional entropy.
Errata: RFC says H0 is 64-bits; PDF says H0 is 64-bytes.
Errata: RFC says the Hash is H^, the PDF says it's ℋ (but doesn't document what ℋ is). It's actually Blake2b.
Variable length items are prepended with their length as 32-bit little-endian integers.
buffer ← parallelism ∥ tagLength ∥ memorySizeKB ∥ iterations ∥ version ∥ hashType
∥ Length(password) ∥ Password
∥ Length(salt) ∥ salt
∥ Length(key) ∥ key
∥ Length(associatedData) ∥ associatedData
H
0 ← Blake2b(buffer, 64)
''//default hash size of Blake2b is 64-bytes''
Calculate number of 1 KB blocks by rounding down memorySizeKB to the nearest multiple of 4*parallelism kibibytes
The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable uni ...
blockCount ← Floor(memorySizeKB, 4*parallelism)
Allocate two-dimensional array of 1 KiB blocks (parallelism rows x columnCount columns)
columnCount ← blockCount / parallelism;
//In the RFC, columnCount is referred to as q
Compute the first and second block (i.e. column zero and one ) of each lane (i.e. row)
for i ← 0 to parallelism-1 do
for each row
B
i ← Hash(H
0 ∥ 0 ∥ i, 1024)
''//Generate a 1024-byte digest''
B
i ← Hash(H
0 ∥ 1 ∥ i, 1024)
''//Generate a 1024-byte digest''
Compute remaining columns of each lane
for i ← 0 to parallelism-1 do
//for each row
for j ← 2 to columnCount-1 do
//for each subsequent column
//i' and j' indexes depend if it's Argon2i, Argon2d, or Argon2id (See section 3.4)
i′, j′ ← GetBlockIndexes(i, j)
//the GetBlockIndexes function is not defined
B
i = G(B
i -1 B
i′′
The prime symbol , double prime symbol , triple prime symbol , and quadruple prime symbol are used to designate units and for other purposes in mathematics, science, linguistics and music.
Although the characters differ little in appearance fr ...
//the G hash function is not defined
Further passes when iterations > 1
for nIteration ← 2 to iterations do
for i ← 0 to parallelism-1 do
for each row
for j ← 0 to columnCount-1 do
//for each subsequent column
//i' and j' indexes depend if it's Argon2i, Argon2d, or Argon2id (See section 3.4)
i′, j′ ← GetBlockIndexes(i, j)
if j 0 then
B
i = B
i xor G(B
i olumnCount-1 B
i′′
The prime symbol , double prime symbol , triple prime symbol , and quadruple prime symbol are used to designate units and for other purposes in mathematics, science, linguistics and music.
Although the characters differ little in appearance fr ...
else
B
i = B
i xor G(B
i -1 B
i′′
The prime symbol , double prime symbol , triple prime symbol , and quadruple prime symbol are used to designate units and for other purposes in mathematics, science, linguistics and music.
Although the characters differ little in appearance fr ...
Compute final block C as the XOR of the last column of each row
C ← B
0 olumnCount-1 for i ← 1 to parallelism-1 do
C ← C xor B
i olumnCount-1
Compute output tag
return Hash(C, tagLength)
Variable-length hash function
Argon2 makes use of a hash function capable of producing digests up to 2
32 bytes long. This hash function is internally built upon
Blake2
BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha (cipher), ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants ...
.
Recommended minimum parameters
As of May 2023,
OWASP
The Open Worldwide Application Security Project (formerly Open Web Application Security Project) (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of Io ...
's ''Password Storage Cheat Sheet'' recommends that people "use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism."
OWASP recommends that Argon2id should be preferred over Argon2d and Argon2i because it provides a balanced resistance to both GPU-based attacks and side-channel attacks.
OWASP further notes that the following Argon2id options provide equivalent cryptographic strength and simply trade off memory usage for compute workload:
* Memory: 46 MiB, Iterations: 1, Parallelism: 1
* Memory: 19 MiB, Iterations: 2, Parallelism: 1
* Memory: 12 MiB, Iterations: 3, Parallelism: 1
* Memory: 9 MiB, Iterations: 4, Parallelism: 1
* Memory: 7 MiB, Iterations: 5, Parallelism: 1
References
External links
Argon2 source code repository on GithubArgon2 specificationPassword Hashing CompetitionUni.Lu Argon2 PageBalloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks* Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications
{{Cryptography navbox , hash
Key derivation functions
2015 in computing