Re: [Cfrg] Balloon-Hashing or Argon2i.

Dmitry Khovratovich <> Tue, 31 May 2016 14:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2CF5C12D534 for <>; Tue, 31 May 2016 07:02:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TBe4RbVFwL2f for <>; Tue, 31 May 2016 07:02:18 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3C09B12D1EA for <>; Tue, 31 May 2016 07:02:18 -0700 (PDT)
Received: by with SMTP id z189so52415087itg.0 for <>; Tue, 31 May 2016 07:02:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NGVBLD50fNbmXeEOTjstOEgfJOQob00g8D2ANvavSRc=; b=JxO+65p7oXarm9Gl+RYaN/0WutBLB/JwIFZ923MyrF+hlO7+0r+YuwSMtrT5BvoduM 1GM0+PZ+HskipbGMr9IzIn4Sis+ZjQrXyEXQ2vJM9Wr4zr8sWxXK9+dMBGhORPlXEyR0 KsgEtl/SGlybMYb+ZVH6CsrL0/CTx7VELOOvdcgMp9dMC1N9MvQx/uJXBkUT8gb6l9vg lkooyCkTtIL1IRHX7RKPVYVSkvu1e4NIDYsTiqAyv5YNzGSNHUza2uSEbu01JlsnVOAE 5yOu/Fl9ad4b2Fyia4PqfGeCCYQaSOfRx2BZnzWJqim8wIhwvDqnJRrFxvv5CV4hYjcZ 3q0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NGVBLD50fNbmXeEOTjstOEgfJOQob00g8D2ANvavSRc=; b=Ar0Dyaozm7+He/OYrzEIbc9Nz4GG1iWv82BWyBQmcw0q1NWHUreKMxl0TYjmW/Em55 PisxOWeY0Ic2fOvBokUH5aCUA38+STsDwF9Y1tdm+UCRNhwRo4GKeZOTWvnacM/p8Tm6 M514NWN6mX5MBxgSRftI48Ta8F171i8UBtEMIhKabAOve38uvbCdDzkGsa/L0I2Vu3QM OfpGvPJOofBaWIb+wlodWOOI87UFVQqKEs62ANFpIE/WRi3KhHULiKsNSQUeB2SLRtkK ZTO7pnL26TqwiEI+nFnjpEav9axy0yykmGRcMo7hyB8IYwNNnA32VbyeE3zF26YnlY1B yNLg==
X-Gm-Message-State: ALyK8tIow09lwuUBZdCuxwhxnZPk2wYPqXWNmQbr/BVqzkaW4o+vymash21ba14s0BgPgjkAKaT84y1zL0IjMw==
X-Received: by with SMTP id t73mr13614852ita.7.1464703337468; Tue, 31 May 2016 07:02:17 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 31 May 2016 07:02:02 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Dmitry Khovratovich <>
Date: Tue, 31 May 2016 16:02:02 +0200
Message-ID: <>
To: Henry Corrigan-Gibbs <>
Content-Type: multipart/alternative; boundary="001a113532b421c37e053423d225"
Archived-At: <>
Resent-To: <>
Subject: Re: [Cfrg] Balloon-Hashing or Argon2i.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 May 2016 14:02:28 -0000

Dear Henry,

thank you for the updated paper.

We appreciate your work on lower-bounding the Argon2i tradeoff resistance,
it is a very interesting result, and we hope to mention it in the
specification. However for your proof to work you instantiate Argon2  with
a collision resistant hash function. During the competition it became clear
that collision-resistance of the inner function is not needed in practice,
since the attacker does not control intermediate variables. It is similar
to the situation with block-ciphers like AES where a single round is
cryptographically weak, though you might want it to be a keyed PRP for the
sake of a proof. Worse enough, a full-round hash function with a narrow
block implies more frequent random memory access and more CPU load, which
together make a terrible impact on the performance. That's why we never
defined Argon2 for such hash functions, and recommend not calling such
modifications "Argon2".

This observation and possibly use of your own code for Argon2 causes
 performance comparison of your Balloon Hash design with Argon2i and other
designs to be incorrect.

in the introduction you write
"if we ... run the construction for five “rounds” of hashing, and set the
space parameter to require the attacker to use 1 MiB of working space to
compute the function, then we can compute Balloon Hashes at the rate of 13
hashes per second on a modern server, compared with 12.8 for Argon2i, and
2.1 for Catena DBG".

This statement underestimates the Argon2i performance by the factor of 30
(!) or so.

In detail. Argon2i makes much more than 13 hashes per second using 5
iterations and 1 MiB of memory. On my 2-core 2.3 GHz (i5-6200) laptop  it
computes 1000 hashes in 5.1-5.3 Gigacycles, thus averaging more than 400
hashes per second. I modified our benchmark settings for that, but even
with default ones (3 iterations, 1 hash) everyone can observe similar
performance by running 'make bench' +'./bench' using the source in

In the further text you write
"Let an authentication server must perform 100 hashes per second per
four-core machine, ... At the same authentication rate, Argon2i requires
the attacker to use a smaller buffer—roughly 1.5 MiB for the one-pass

This is again incorrect. Here are the numbers for 1-pass Argon2i: 2MiB:
225Mcycles, 16MiB: 1174 Mcycles, 32 MiB: 2532 Mcycles (a bit more than 1

So there is a factor of 20 underestimate here. (We also remind that 1-pass
Argon2i was never  recommended for practical use.)

Best regards,
the Argon2 team

On Mon, May 30, 2016 at 7:53 PM, Henry Corrigan-Gibbs <>

> Hi Joel,
> Since I am one of the designers of the Balloon Hashing algorithm, it would
> be difficult for me to give an unbiased opinion on the pros and cons of
> Argon2i versus Balloon.
> That said, we just updated the Balloon Hashing paper on ePrint:
> The revised paper includes some new results that might be relevant to CFRG
> discussions on password hashing. Let me summarize the new results here:
> (1) We prove (in the single-instance, random-oracle model) a new, stronger
> memory-hardness claim about the Balloon algorithm. We show that computing
> one instance of the Balloon function with space S and time T requires a
> space-time product that (roughly) satisfies:
> S . T >= n^2 / 8.
> As the adversary's space usage drops below a certain threshold (which
> depends on the parameter settings) the trade-off gets even worse for the
> adversary.
> (2) We refine the analysis of the single-buffer Balloon algorithm, and the
> refined analysis allows us to dramatically improve the parameters of the
> scheme. After this change, the performance of the single-buffer Balloon
> function *meets or exceeds* that of Argon2i when we instantiate both with
> Blake2b as the underlying cryptographic hash function. (Consult the paper
> for the details on this.) The single-buffer Balloon algorithm runs so
> quickly now that we decided that the other two Balloon variants
> (double-buffer and linear) were superfluous. The revised paper includes
> only the single-buffer scheme, which we now just call the "Balloon
> algorithm".
> (3) We discuss your (very cool) recent paper on parallel attacks on iMHFs
> and give some ideas on how to ameliorate them in the context of password
> hashing. Our recommendation is to follow Balloon Hashing with one round of
> scrypt (or even data-dependent Balloon). This composition apparently
> defends against either parallel attacks or cache attacks -- just not both
> at the same time. The design of the Argon2id function uses a similar idea.
> To us, this seems like a nice compromise between functionality and security.
> (4) We apply our analysis techniques to prove that Argon2i and a
> simplified variant of scrypt are also memory-hard, though with looser
> constants than one might like. We show that these two algorithms (again, in
> the single-instance random-oracle model) require space S and time T such
> that:
> S . T >= n^2 / C
> to compute with good probability. For Argon2i, we can prove this statement
> for C=192, and for scrypt with C=24. In contrast, we prove the claim with
> C=8 for Balloon, and we additionally prove much stronger time-space
> trade-offs for Balloon for very-small-space adversaries. From a "provable
> security" perspective then, Balloon seems to have an edge over the other
> practical constructions out there.
> If you find bugs or omissions in the ePrint draft, please let me know.
> Henry
> On 05/25/2016 12:50 PM, Joel Alwen wrote:
>> I was wondering what peoples opinion is on standardizing the
>> double-buffer balloon hashing (DB) construction rather than Argon2i.
>> Both in terms of arguments for and against.
>> I'm sure other people have thought about this much more though so I'd
>> love to hear what people think...
>> - Joel
>> _______________________________________________
>> Cfrg mailing list
> _______________________________________________
> Cfrg mailing list

Best regards,
Dmitry Khovratovich