idnits 2.17.1 draft-irtf-cfrg-argon2-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == It seems as if not all pages are separated by form feeds - found 28 form feeds but 34 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 111 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 114: '... MUST be BLAKE2b....' RFC 2119 keyword, line 178: '...d hashing. Salt SHOULD be unique for ...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 22, 2018) is 1981 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 761 -- Looks like a reference, but probably isn't: '1' on line 680 -- Looks like a reference, but probably isn't: '2' on line 681 -- Looks like a reference, but probably isn't: '3' on line 682 -- Looks like a reference, but probably isn't: '4' on line 683 -- Looks like a reference, but probably isn't: '5' on line 684 -- Looks like a reference, but probably isn't: '32' on line 1088 -- Looks like a reference, but probably isn't: '16' on line 1090 -- Looks like a reference, but probably isn't: '8' on line 1091 -- Looks like a reference, but probably isn't: '12' on line 1092 -- Looks like a reference, but probably isn't: '124' on line 1126 -- Looks like a reference, but probably isn't: '125' on line 1127 -- Looks like a reference, but probably isn't: '126' on line 1128 -- Looks like a reference, but probably isn't: '127' on line 1129 == Unused Reference: 'RFC7693' is defined on line 1219, but no explicit reference was found in the text == Unused Reference: 'ARGON2ESP' is defined on line 1239, but no explicit reference was found in the text -- Duplicate reference: RFC7693, mentioned in 'BLAKE2', was also mentioned in 'RFC7693'. Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 17 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Biryukov 3 Internet-Draft D. Dinu 4 Intended status: Informational University of Luxembourg 5 Expires: May 26, 2019 D. Khovratovich 6 ABDK Consulting 7 S. Josefsson 8 SJD AB 9 November 22, 2018 11 The memory-hard Argon2 password hash and proof-of-work function 12 draft-irtf-cfrg-argon2-04 14 Abstract 16 This document describes the Argon2 memory-hard function for password 17 hashing and proof-of-work applications. We provide an implementer- 18 oriented description together with sample code and test vectors. The 19 purpose is to simplify adoption of Argon2 for Internet protocols. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on May 26, 2019. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Notation and Conventions . . . . . . . . . . . . . . . . . . 3 57 3. Argon2 Algorithm . . . . . . . . . . . . . . . . . . . . . . 4 58 3.1. Argon2 Inputs and Outputs . . . . . . . . . . . . . . . . 4 59 3.2. Argon2 Operation . . . . . . . . . . . . . . . . . . . . 5 60 3.3. Variable-length hash function H' . . . . . . . . . . . . 6 61 3.4. Indexing . . . . . . . . . . . . . . . . . . . . . . . . 7 62 3.4.1. Getting the 32-bit values J_1 and J_2 . . . . . . . . 7 63 3.4.2. Mapping J_1 and J_2 to reference block index . . . . 8 64 3.5. Compression function G . . . . . . . . . . . . . . . . . 9 65 3.6. Permutation P . . . . . . . . . . . . . . . . . . . . . . 10 66 4. Parameter Choice . . . . . . . . . . . . . . . . . . . . . . 11 67 5. Example Code . . . . . . . . . . . . . . . . . . . . . . . . 13 68 6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 22 69 6.1. Argon2d Test Vectors . . . . . . . . . . . . . . . . . . 22 70 6.2. Argon2i Test Vectors . . . . . . . . . . . . . . . . . . 23 71 6.3. Argon2id Test Vectors . . . . . . . . . . . . . . . . . . 24 72 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 73 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 74 9. Security Considerations . . . . . . . . . . . . . . . . . . . 26 75 9.1. Security as hash function and KDF . . . . . . . . . . . . 26 76 9.2. Security against time-space tradeoff attacks . . . . . . 26 77 9.3. Security for time-bounded defenders . . . . . . . . . . . 27 78 9.4. Recommendations . . . . . . . . . . . . . . . . . . . . . 27 79 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 80 10.1. Normative References . . . . . . . . . . . . . . . . . . 27 81 10.2. Informative References . . . . . . . . . . . . . . . . . 27 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 84 1. Introduction 86 This document describes the Argon2 memory-hard function for password 87 hashing and proof-of-work applications. We provide an implementer 88 oriented description together with sample code and test vectors. The 89 purpose is to simplify adoption of Argon2 for Internet protocols. 90 This document corresponds to version 1.3 of the Argon2 hash function. 92 Argon2 summarizes the state of the art in the design of memory-hard 93 functions [HARD]. It is a streamlined and simple design. It aims at 94 the highest memory filling rate and effective use of multiple 95 computing units, while still providing defense against tradeoff 96 attacks. Argon2 is optimized for the x86 architecture and exploits 97 the cache and memory organization of the recent Intel and AMD 98 processors. Argon2 has one primary variant: Argon2id, and two 99 supplementary variants: Argon2d and Argon2i. Argon2d uses data- 100 dependent memory access, which makes it suitable for cryptocurrencies 101 and proof-of-work applications with no threats from side-channel 102 timing attacks. Argon2i uses data-independent memory access, which 103 is preferred for password hashing and password-based key derivation. 104 Argon2id works as Argon2i for the first half of the first iteration 105 over the memory, and as Argon2d for the rest, thus providing both 106 side-channel attack protection and brute-force cost savings due to 107 time-memory tradeoffs. Argon2i makes more passes over the memory to 108 protect from tradeoff attacks [AB15]. 110 Argon2 can be viewed as a mode of operation over a fixed-input-length 111 compression function G and a variable-input-length hash function H. 112 Even though Argon2 can be potentially used with arbitrary function H, 113 as long as it provides outputs up to 64 bytes, in this document it 114 MUST be BLAKE2b. 116 For further background and discussion, see the Argon2 paper [ARGON2]. 118 2. Notation and Conventions 120 x^y --- integer x multiplied by itself integer y times 122 a*b --- multiplication of integer a and integer b 124 c-d --- substraction of integer c with integer d 126 E_f --- variable E with subscript index f 128 g / h --- integer g divided by integer h. The result is rational 129 number 131 I(j) --- function I evaluated on integer parameter j 133 K || L --- string K concatenated with string L 135 a XOR b --- bitwise exclusive-or between bitstrings a and b 137 a mod b --- remainder of integer a modulo integer b, always in range 138 [0, b-1] 140 a >>> n --- rotation of 64-bit string a to the right by n bits 142 trunc(a) --- the 64-bit value, truncated to the 32 least significant 143 bits 144 floor(a) --- the largest integer not bigger than a 146 ceil(a) --- the smallest integer not smaller than a 148 extract(a, i) --- the i-th set of 32-bits from bitstring a, starting 149 from 0-th 151 |A| --- the number of elements in set A 153 LE32(a) --- 32-bit integer a converted to bytestring in little 154 endian. Example: 123456 (decimal) is 40 E2 01 00. 156 LE64(a) --- 64-bit integer a converted to bytestring in little 157 endian. Example: 123456 (decimal) is 40 E2 01 00 00 00 00 00. 159 int32(s) --- 32-bit string s is converted to non-negative integer in 160 little endian. 162 int64(s) --- 64-bit string s is converted to non-negative integer in 163 little endian. 165 length(P) --- the bytelength of string P expressed as 32-bit integer 167 3. Argon2 Algorithm 169 3.1. Argon2 Inputs and Outputs 171 Argon2 has the following input parameters: 173 o Message string P, which is a password for password hashing 174 applications. May have any length from 0 to 2^(32) - 1 bytes. 176 o Nonce S, which is a salt for password hashing applications. May 177 have any length from 8 to 2^(32)-1 bytes. 16 bytes is recommended 178 for password hashing. Salt SHOULD be unique for each password. 180 o Degree of parallelism p determines how many independent (but 181 synchronizing) computational chains (lanes) can be run. It may 182 take any integer value from 1 to 2^(24)-1. 184 o Tag length T may be any integer number of bytes from 4 to 2^(32)- 185 1. 187 o Memory size m can be any integer number of kibibytes from 8*p to 188 2^(32)-1. The actual number of blocks is m', which is m rounded 189 down to the nearest multiple of 4*p. 191 o Number of iterations t (used to tune the running time 192 independently of the memory size) can be any integer number from 1 193 to 2^(32)-1. 195 o Version number v is one byte 0x13. 197 o Secret value K (serves as key if necessary, but we do not assume 198 any key use by default) may have any length from 0 to 2^(32)-1 199 bytes. 201 o Associated data X may have any length from 0 to 2^(32)-1 bytes. 203 o Type y of Argon2: 0 for Argon2d, 1 for Argon2i, 2 for Argon2id. 205 The Argon2 output, or "tag" is a string T bytes long. 207 3.2. Argon2 Operation 209 Argon2 uses an internal compression function G with two 1024-byte 210 inputs and a 1024-byte output, and an internal hash function H^x() 211 with x being its output length in bytes. Here H^x() applied to 212 string A is the BLAKE2b [BLAKE2] function, which takes 213 (d,|dd|,kk=0,nn=x) as parameters where d is A padded to a multiple of 214 128 bytes and partitioned into 128-byte blocks. The compression 215 function G is based on its internal permutation. A variable-length 216 hash function H' built upon H is also used. G is described in 217 Section Section 3.5 and H' is described in Section Section 3.3. 219 The Argon2 operation is as follows. 221 1. Establish H_0 as the 64-byte value as shown below. 223 H_0 = H^(64)(LE32(p) || LE32(T) || LE32(m) || LE32(t) || LE32(v) || LE32(y) || LE32(length(P)) || P || LE32(length(S)) || S || LE32(length(K)) || K || LE32(length(X)) || X) 225 H_0 generation 227 2. Allocate the memory as m' 1024-byte blocks where m' is derived 228 as: 230 m' = 4 * p * floor (m / 4p) 232 Memory allocation 234 For p lanes, the memory is organized in a matrix B[i][j] of 235 blocks with p rows (lanes) and q = m' / p columns. 237 3. Compute B[i][0] for all i ranging from (and including) 0 to (not 238 including) p. 240 B[i][0] = H'^(128)(H_0 || LE32(0) || LE32(i)) 242 Lane starting blocks 244 4. Compute B[i][1] for all i ranging from (and including) 0 to (not 245 including) p. 247 B[i][1] = H'^(128)(H_0 || LE32(1) || LE32(i)) 249 Second lane blocks 251 5. Compute B[i][j] for all i ranging from (and including) 0 to (not 252 including) p, and for all j ranging from (and including) 2) to 253 (not including) q. The block indices l and z are determined for 254 each i, j differently for Argon2d, Argon2i, and Argon2id 255 (Section Section 3.4). 257 B[i][j] = G(B[i][j-1], B[l][z]) 259 Further block generation 261 6. If the number of iterations t is larger than 1, we repeat the 262 steps however replacing the computations with the following 263 expression: 265 B[i][0] = G(B[i][q-1], B[l][z]) 266 B[i][j] = G(B[i][j-1], B[l][z]) 268 Further passes 270 7. After t steps have been iterated, the final block C is computed 271 as the XOR of the last column: 273 C = B[0][q-1] XOR B[1][q-1] XOR ... XOR B[p-1][q-1] 275 Final block 277 8. The output tag is computed as H'^T(C). 279 3.3. Variable-length hash function H' 281 Let V_i be a 64-byte block, and W_i be its first 32 bytes. Then we 282 define: 284 if T <= 64 285 H'^T(A) = H^T(LE32(T)||A) 286 else 287 r = ceil(T/32)-2 288 V_1 = H^(64)(LE32(T)||A) 289 V_2 = H^(64)(V_1) 290 ... 291 V_r = H^(64)(V_{r-1}) 292 V_{r+1} = H^(T-32*r)(V_{r}) 293 H'^T(X) = W_1 || W_2 || ... || W_r || V_{r+1} 295 Tag computation 297 3.4. Indexing 299 To enable parallel block computation, we further partition the memory 300 matrix into S = 4 vertical slices. The intersection of a slice and a 301 lane is a segment of length q/S. Segments of the same slice are 302 computed in parallel and may not reference blocks from each other. 303 All other blocks can be referenced. 305 slice 0 slice 1 slice 2 slice 3 306 ___/\___ ___/\___ ___/\___ ___/\___ 307 / \ / \ / \ / \ 308 +----------+----------+----------+----------+ 309 | | | | | > lane 0 310 +----------+----------+----------+----------+ 311 | | | | | > lane 1 312 +----------+----------+----------+----------+ 313 | | | | | > lane 2 314 +----------+----------+----------+----------+ 315 | ... ... ... | ... 316 +----------+----------+----------+----------+ 317 | | | | | > lane p - 1 318 +----------+----------+----------+----------+ 320 Single-pass Argon2 with p lanes and 4 slices 322 3.4.1. Getting the 32-bit values J_1 and J_2 324 3.4.1.1. Argon2d 326 J_1 is given by the first 32 bits of block B[i][j-1], while J_2 is 327 given by the next 32-bits of block B[i][j-1]: 329 J_1 = int32(extract(B[i][j-1], 1)) 330 J_2 = int32(extract(B[i][j-1], 2)) 332 Deriving J1,J2 in Argon2d 334 3.4.1.2. Argon2i 336 Each application of the 2-round compression function G in the counter 337 mode gives 128 64-bit values X, which are viewed as X1||X2 and 338 converted to J_1=int32(X1) and J_2=int32(X2). The first input to G 339 is the all zero block and the second input to G is constructed as 340 follows: 342 ( LE64(r) || LE64(l) || LE64(s) || LE64(m') || LE64(t) || LE64(y) || LE64(i) || ZERO ), where 344 r -- the pass number 345 l -- the lane number 346 s -- the slice number 347 m' -- the total number of memory blocks 348 t -- the total number of passes 349 y -- the Argon2 type (0 for Argon2d, 1 for Argon2i, 2 for Argon2id) 350 i -- the counter (starts from 1 in each segment) 351 ZERO -- the 968-byte zero string. 353 Input to compute J1,J2 in Argon2i 355 The values r, l, s, m', t, x, i are represented as 8 bytes in little- 356 endian. 358 3.4.1.3. Argon2id 360 If the pass number is 0 and the slice number is 0 or 1, then compute 361 J_1 and J_2 as for Argon2i, else compute J_1 and J_2 as for Argon2d. 363 3.4.2. Mapping J_1 and J_2 to reference block index 365 The value of l = J_2 mod p gives the index of the lane from which the 366 block will be taken. For the firt pass (r=0) and the first slice 367 (s=0) the block is taken from the current lane. 369 The set W contains the indices that can be referenced according to 370 the following rules: 372 1. If l is the current lane, then W includes the indices of all 373 blocks in the last S - 1 = 3 segments computed and finished, as 374 well as the blocks computed in the current segment in the current 375 pass excluding B[i][j-1]. 377 2. If l is not the current lane, then W includes the indices of all 378 blocks in the last S - 1 = 3 segments computed and finished in 379 lane l. If B[i][j] is the first block of a segment, then the 380 very last index from W is excluded. 382 We are going to take a block from W with a non-uniform distribution 383 over [0, |W|) using the mapping 385 J_1 -> |W|(1 - J_1^2 / 2^(64)) 387 Computing J1 389 To avoid floating point computation, the following approximation is 390 used: 392 x = J_1^2 / 2^(32) 393 y = (|W| * x) / 2^(32) 394 z = |W| - 1 - y 396 Computing J1, part 2 398 The value of z gives the reference block index in W. 400 3.5. Compression function G 402 Compression function G is built upon the BLAKE2b round function P. P 403 operates on the 128-byte input, which can be viewed as 8 16-byte 404 registers: 406 P(A_0, A_1, ... ,A_7) = (B_0, B_1, ... ,B_7) 408 Blake round function P 410 Compression function G(X, Y) operates on two 1024-byte blocks X and 411 Y. It first computes R = X XOR Y. Then R is viewed as a 8x8 matrix 412 of 16-byte registers R_0, R_1, ... , R_63. Then P is first applied 413 to each row, and then to each column to get Z: 415 ( Q_0, Q_1, Q_2, ... , Q_7) <- P( R_0, R_1, R_2, ... , R_7) 416 ( Q_8, Q_9, Q_10, ... , Q_15) <- P( R_8, R_9, R_10, ... , R_15) 417 ... 418 (Q_56, Q_57, Q_58, ... , Q_63) <- P(R_56, R_57, R_58, ... , R_63) 419 ( Z_0, Z_8, Z_16, ... , Z_56) <- P( Q_0, Q_8, Q_16, ... , Q_56) 420 ( Z_1, Z_9, Z_17, ... , Z_57) <- P( Q_1, Q_9, Q_17, ... , Q_57) 421 ... 422 ( Z_7, Z_15, Z 23, ... , Z_63) <- P( Q_7, Q_15, Q_23, ... , Q_63) 424 Core of compression function G 426 Finally, G outputs Z XOR R: 428 G: (X, Y) -> R -> Q -> Z -> Z XOR R 430 +---+ +---+ 431 | X | | Y | 432 +---+ +---+ 433 | | 434 ---->XOR<---- 435 --------| 436 | \ / 437 | +---+ 438 | | R | 439 | +---+ 440 | | 441 | \ / 442 | P rowwise 443 | | 444 | \ / 445 | +---+ 446 | | Q | 447 | +---+ 448 | | 449 | \ / 450 | P columnwise 451 | | 452 | \ / 453 | +---+ 454 | | Z | 455 | +---+ 456 | | 457 | \ / 458 ------>XOR 459 | 460 \ / 462 Argon2 compression function G. 464 3.6. Permutation P 466 Permutation P is based on the round function of BLAKE2b. The 8 467 16-byte inputs S_0, S_1, ... , S_7 are viewed as a 4x4 matrix of 468 64-bit words, where S_i = (v_{2*i+1} || v_{2*i}): 470 v_0 v_1 v_2 v_3 471 v_4 v_5 v_6 v_7 472 v_8 v_9 v_10 v_11 473 v_12 v_13 v_14 v_15 475 Matrix element labeling 477 It works as follows: 479 GB(v_0, v_4, v_8, v_12) 480 GB(v_1, v_5, v_9, v_13) 481 GB(v_2, v_6, v_10, v_14) 482 GB(v_3, v_7, v_11, v_15) 484 GB(v_0, v_5, v_10, v_15) 485 GB(v_1, v_6, v_11, v_12) 486 GB(v_2, v_7, v_8, v_13) 487 GB(v_3, v_4, v_9, v_14) 489 Feeding matrix elements to GB 491 GB(a, b, c, d) is defined as follows: 493 a = (a + b + 2 * trunc(a) * trunc(b)) mod 2^(64) 494 d = (d XOR a) >>> 32 495 c = (c + d + 2 * trunc(c) * trunc(d)) mod 2^(64) 496 b = (b XOR c) >>> 24 498 a = (a + b + 2 * trunc(a) * trunc(b)) mod 2^(64) 499 d = (d XOR a) >>> 16 500 c = (c + d + 2 * trunc(c) * trunc(d)) mod 2^(64) 501 b = (b XOR c) >>> 63 503 Details of GB 505 The modular additions in GB are combined with 64-bit multiplications. 506 Multiplications are the only difference to the original BLAKE2b 507 design. This choice is done to increase the circuit depth and thus 508 the running time of ASIC implementations, while having roughly the 509 same running time on CPUs thanks to parallelism and pipelining. 511 4. Parameter Choice 513 Argon2d is optimized for settings where the adversary does not get 514 regular access to system memory or CPU, i.e. he can not run side- 515 channel attacks based on the timing information, nor he can recover 516 the password much faster using garbage collection. These settings 517 are more typical for backend servers and cryptocurrency minings. For 518 practice we suggest the following settings: 520 o Cryptocurrency mining, that takes 0.1 seconds on a 2 Ghz CPU using 521 1 core -- Argon2d with 2 lanes and 250 MB of RAM. 523 Argon2id is optimized for more realistic settings, where the 524 adversary possibly can access the same machine, use its CPU or mount 525 cold-boot attacks. We suggest the following settings: 527 o Backend server authentication, that takes 0.5 seconds on a 2 GHz 528 CPU using 4 cores -- Argon2id with 8 lanes and 4 GiB of RAM. 530 o Key derivation for hard-drive encryption, that takes 3 seconds on 531 a 2 GHz CPU using 2 cores - Argon2id with 4 lanes and 6 GiB of 532 RAM. 534 o Frontend server authentication, that takes 0.5 seconds on a 2 GHz 535 CPU using 2 cores - Argon2id with 4 lanes and 1 GiB of RAM. 537 We recommend the following procedure to select the type and the 538 parameters for practical use of Argon2. 540 1. Select the type y. If you do not know the difference between 541 them or you consider side-channel attacks as viable threat, 542 choose Argon2id. 544 2. Figure out the maximum number h of threads that can be initiated 545 by each call to Argon2. 547 3. Figure out the maximum amount m of memory that each call can 548 afford. 550 4. Figure out the maximum amount x of time (in seconds) that each 551 call can afford. 553 5. Select the salt length. 128 bits is sufficient for all 554 applications, but can be reduced to 64 bits in the case of space 555 constraints. 557 6. Select the tag length. 128 bits is sufficient for most 558 applications, including key derivation. If longer keys are 559 needed, select longer tags. 561 7. If side-channel attacks are a viable threat, or if you're 562 uncertain, enable the memory wiping option in the library call. 564 8. Run the scheme of type y, memory m and h lanes and threads, using 565 different number of passes t. Figure out the maximum t such that 566 the running time does not exceed x. If it exceeds x even for t = 567 1, reduce m accordingly. 569 9. Hash all the passwords with the just determined values m, h, and 570 t. 572 5. Example Code 573 void fill_block(const block *prev_block, 574 const block *ref_block, 575 block *next_block) { 576 block blockR, block_tmp; 577 unsigned i; 579 copy_block(&blockR, ref_block); 580 xor_block(&blockR, prev_block); 581 copy_block(&block_tmp, &blockR); 583 /* Now blockR = ref_block + prev_block and bloc_tmp = ref_block + 584 prev_block */ 586 /* Apply Blake2 on columns of 64-bit words: (0,1,...,15), 587 then (16,17,..31)... finally (112,113,...127) */ 588 for (i = 0; i < 8; ++i) { 589 BLAKE2_ROUND_NOMSG( 590 blockR.v[16 * i], blockR.v[16 * i + 1], 591 blockR.v[16 * i + 2], blockR.v[16 * i + 3], 592 blockR.v[16 * i + 4], blockR.v[16 * i + 5], 593 blockR.v[16 * i + 6], blockR.v[16 * i + 7], 594 blockR.v[16 * i + 8], blockR.v[16 * i + 9], 595 blockR.v[16 * i + 10], blockR.v[16 * i + 11], 596 blockR.v[16 * i + 12], blockR.v[16 * i + 13], 597 blockR.v[16 * i + 14], blockR.v[16 * i + 15]); 598 } 600 /* Apply Blake2 on rows of 64-bit words: (0,1,16,17,...112,113), 601 then (2,3,18,19,...,114,115), ... and finally 602 (14,15,30,31,...,126,127) */ 603 for (i = 0; i < 8; i++) { 604 BLAKE2_ROUND_NOMSG( 605 blockR.v[2 * i], blockR.v[2 * i + 1], 606 blockR.v[2 * i + 16], blockR.v[2 * i + 17], 607 blockR.v[2 * i + 32], blockR.v[2 * i + 33], 608 blockR.v[2 * i + 48], blockR.v[2 * i + 49], 609 blockR.v[2 * i + 64], blockR.v[2 * i + 65], 610 blockR.v[2 * i + 80], blockR.v[2 * i + 81], 611 blockR.v[2 * i + 96], blockR.v[2 * i + 97], 612 blockR.v[2 * i + 112], blockR.v[2 * i + 113]); 613 } 615 copy_block(next_block, &block_tmp); 616 xor_block(next_block, &blockR); 617 } 619 Example code 621 void fill_block_with_xor(const block *prev_block, 622 const block *ref_block, 623 block *next_block) { 624 block blockR, block_tmp; 625 unsigned i; 627 copy_block(&blockR, ref_block); 628 xor_block(&blockR, prev_block); 629 copy_block(&block_tmp, &blockR); 631 /* Saving the next block contents for XOR over */ 632 xor_block(&block_tmp, next_block); 634 /* Now blockR = ref_block + prev_block and bloc_tmp = ref_block + 635 prev_block + next_block*/ 636 /* Apply Blake2 on columns of 64-bit words: (0,1,...,15) , then 637 (16,17,..31),... and finally (112,113,...127) */ 638 for (i = 0; i < 8; ++i) { 639 BLAKE2_ROUND_NOMSG( 640 blockR.v[16 * i], blockR.v[16 * i + 1], 641 blockR.v[16 * i + 2], blockR.v[16 * i + 3], 642 blockR.v[16 * i + 4], blockR.v[16 * i + 5], 643 blockR.v[16 * i + 6], blockR.v[16 * i + 7], 644 blockR.v[16 * i + 8], blockR.v[16 * i + 9], 645 blockR.v[16 * i + 10], blockR.v[16 * i + 11], 646 blockR.v[16 * i + 12], blockR.v[16 * i + 13], 647 blockR.v[16 * i + 14], blockR.v[16 * i + 15]); 648 } 650 /* Apply Blake2 on rows of 64-bit words: 651 (0,1,16,17,...112,113), then 652 (2,3,18,19,...,114,115), ... and finally 653 (14,15,30,31,...,126,127) */ 654 for (i = 0; i < 8; i++) { 655 BLAKE2_ROUND_NOMSG( 656 blockR.v[2 * i], blockR.v[2 * i + 1], 657 blockR.v[2 * i + 16], blockR.v[2 * i + 17], 658 blockR.v[2 * i + 32], blockR.v[2 * i + 33], 659 blockR.v[2 * i + 48], blockR.v[2 * i + 49], 660 blockR.v[2 * i + 64], blockR.v[2 * i + 65], 661 blockR.v[2 * i + 80], blockR.v[2 * i + 81], 662 blockR.v[2 * i + 96], blockR.v[2 * i + 97], 663 blockR.v[2 * i + 112], blockR.v[2 * i + 113]); 664 } 666 copy_block(next_block, &block_tmp); 667 xor_block(next_block, &blockR); 668 } 669 void generate_addresses(const argon2_instance_t *instance, 670 const argon2_position_t *position, 671 uint64_t *pseudo_rands) { 672 block zero_block, input_block, address_block,tmp_block; 673 uint32_t i; 675 init_block_value(&zero_block, 0); 676 init_block_value(&input_block, 0); 678 if (instance != NULL && position != NULL) { 679 input_block.v[0] = position->pass; 680 input_block.v[1] = position->lane; 681 input_block.v[2] = position->slice; 682 input_block.v[3] = instance->memory_blocks; 683 input_block.v[4] = instance->passes; 684 input_block.v[5] = instance->type; 686 for (i = 0; i < instance->segment_length; ++i) { 687 if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) { 688 input_block.v[6]++; 689 init_block_value(&tmp_block, 0); 690 init_block_value(&address_block, 0); 691 fill_block_with_xor(&zero_block, &input_block, &tmp_block); 692 fill_block_with_xor(&zero_block, &tmp_block, &address_block); 693 } 695 pseudo_rands[i] = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK]; 696 } 697 } 699 void fill_segment(const argon2_instance_t *instance, 700 argon2_position_t position) { 701 block *ref_block = NULL, *curr_block = NULL; 702 uint64_t pseudo_rand, ref_index, ref_lane; 703 uint32_t prev_offset, curr_offset; 704 uint32_t starting_index; 705 uint32_t i; 706 int data_independent_addressing; 708 /* Pseudo-random values that determine the reference block 709 position */ 710 uint64_t *pseudo_rands = NULL; 712 if (instance == NULL) { 713 return; 714 } 716 data_independent_addressing = (instance->type == Argon2_i); 718 pseudo_rands = (uint64_t *)malloc(sizeof(uint64_t) * 719 (instance->segment_length)); 721 if (pseudo_rands == NULL) { 722 return; 723 } 725 if (data_independent_addressing) { 726 generate_addresses(instance, &position, pseudo_rands); 727 } 729 starting_index = 0; 731 if ((0 == position.pass) && (0 == position.slice)) { 732 /* we have already generated the first two blocks */ 733 starting_index = 2; 734 } 736 /* Offset of the current block */ 737 curr_offset = position.lane * instance->lane_length + 738 position.slice * instance->segment_length + 739 starting_index; 741 if (0 == curr_offset % instance->lane_length) { 742 /* Last block in this lane */ 743 prev_offset = curr_offset + instance->lane_length - 1; 744 } else { 745 /* Previous block */ 746 prev_offset = curr_offset - 1; 747 } 749 for (i = starting_index; i < instance->segment_length; 750 ++i, ++curr_offset, ++prev_offset) { 751 /*1.1 Rotating prev_offset if needed */ 752 if (curr_offset % instance->lane_length == 1) { 753 prev_offset = curr_offset - 1; 754 } 756 /* 1.2 Computing the index of the reference block */ 757 /* 1.2.1 Taking pseudo-random value from the previous block */ 758 if (data_independent_addressing) { 759 pseudo_rand = pseudo_rands[i]; 760 } else { 761 pseudo_rand = instance->memory[prev_offset].v[0]; 762 } 764 /* 1.2.2 Computing the lane of the reference block */ 765 ref_lane = ((pseudo_rand >> 32)) % instance->lanes; 767 if ((position.pass == 0) && (position.slice == 0)) { 768 /* Can not reference other lanes yet */ 769 ref_lane = position.lane; 770 } 772 /* 1.2.3 Computing the number of possible reference block 773 within the lane. */ 774 position.index = i; 775 ref_index = index_alpha(instance, &position, 776 pseudo_rand & 0xFFFFFFFF, 777 ref_lane == position.lane); 779 /* 2 Creating a new block */ 780 ref_block = instance->memory + 781 instance->lane_length * ref_lane + ref_index; 782 curr_block = instance->memory + curr_offset; 783 if (instance->version == ARGON2_OLD_VERSION_NUMBER) { 784 /* version 1.2.1 and earlier: overwrite, not XOR */ 785 fill_block(instance->memory + prev_offset, ref_block, 786 curr_block); 787 } else { 788 if(0 == position.pass) { 789 fill_block(instance->memory + prev_offset, ref_block, 790 curr_block); 791 } else { 792 fill_block_with_xor(instance->memory + prev_offset, 793 ref_block, curr_block); 794 } 795 } 796 } 798 free(pseudo_rands); 799 } 801 uint32_t index_alpha(const argon2_instance_t *instance, 802 const argon2_position_t *position, 803 uint32_t pseudo_rand, 804 int same_lane) { 805 /* 806 * Pass 0: 808 * This lane : all already finished segments plus already 809 * constructed blocks in this segment 810 * Other lanes : all already finished segments 811 * Pass 1+: 812 * This lane : (SYNC_POINTS - 1) last segments plus 813 * already constructed blocks in this segment 814 * Other lanes : (SYNC_POINTS - 1) last segments 815 */ 816 uint32_t reference_area_size; 817 uint64_t relative_position; 818 uint32_t start_position, absolute_position; 820 if (0 == position->pass) { 821 /* First pass */ 822 if (0 == position->slice) { 823 /* First slice */ 824 reference_area_size = 825 position->index - 1; /* all but the previous */ 826 } else { 827 if (same_lane) { 828 /* The same lane => add current segment */ 829 reference_area_size = position->slice * 830 instance->segment_length + 831 position->index - 1; 832 } else { 833 reference_area_size = position->slice * 834 instance->segment_length + 835 ((position->index == 0) ? (-1) : 0); 836 } 837 } 838 } else { 839 /* Second pass */ 840 if (same_lane) { 841 reference_area_size = instance->lane_length - 842 instance->segment_length + 843 position->index - 1; 844 } else { 845 reference_area_size = instance->lane_length - 846 instance->segment_length + 847 ((position->index == 0) ? (-1) : 0); 848 } 849 } 851 /* 1.2.4. Mapping pseudo_rand to 0.. 852 and produce relative position */ 853 relative_position = pseudo_rand; 854 relative_position = relative_position * relative_position >> 32; 855 relative_position = reference_area_size - 1 - 856 (reference_area_size * relative_position >> 32); 858 /* 1.2.5 Computing starting position */ 859 start_position = 0; 861 if (0 != position->pass) { 862 start_position = (position->slice == ARGON2_SYNC_POINTS - 1) 863 ? 0 864 : (position->slice + 1) * 865 instance->segment_length; 866 } 868 /* 1.2.6. Computing absolute position */ 869 absolute_position = (start_position + relative_position) % 870 instance->lane_length; /* absolute position */ 871 return absolute_position; 872 } 874 int fill_memory_blocks(argon2_instance_t *instance) { 875 uint32_t r, s; 876 argon2_thread_handle_t *thread = NULL; 877 argon2_thread_data *thr_data = NULL; 879 if (instance == NULL || instance->lanes == 0) { 880 return ARGON2_THREAD_FAIL; 881 } 883 /* 1. Allocating space for threads */ 884 thread = calloc(instance->lanes, sizeof(argon2_thread_handle_t)); 885 if (thread == NULL) { 886 return ARGON2_MEMORY_ALLOCATION_ERROR; 887 } 889 thr_data = calloc(instance->lanes, sizeof(argon2_thread_data)); 890 if (thr_data == NULL) { 891 free(thread); 892 return ARGON2_MEMORY_ALLOCATION_ERROR; 893 } 895 for (r = 0; r < instance->passes; ++r) { 896 for (s = 0; s < ARGON2_SYNC_POINTS; ++s) { 897 int rc; 898 uint32_t l; 900 /* 2. Calling threads */ 901 for (l = 0; l < instance->lanes; ++l) { 902 argon2_position_t position; 904 /* 2.1 Join a thread if limit is exceeded */ 905 if (l >= instance->threads) { 906 rc = argon2_thread_join(thread[l - instance->threads]); 907 if (rc) { 908 free(thr_data); 909 free(thread); 910 return ARGON2_THREAD_FAIL; 911 } 912 } 914 /* 2.2 Create thread */ 915 position.pass = r; 916 position.lane = l; 917 position.slice = (uint8_t)s; 918 position.index = 0; 919 /* preparing the thread input */ 920 thr_data[l].instance_ptr = instance; 921 memcpy(&(thr_data[l].pos), &position, 922 sizeof(argon2_position_t)); 923 rc = argon2_thread_create(&thread[l], &fill_segment_thr, 924 (void *)&thr_data[l]); 925 if (rc) { 926 free(thr_data); 927 free(thread); 928 return ARGON2_THREAD_FAIL; 929 } 931 /* fill_segment(instance, position); */ 932 /*Non-thread equivalent of the lines above */ 933 } 935 /* 3. Joining remaining threads */ 936 for (l = instance->lanes - instance->threads; l < instance->lanes; 937 ++l) { 938 rc = argon2_thread_join(thread[l]); 939 if (rc) { 940 return ARGON2_THREAD_FAIL; 941 } 942 } 943 } 944 } 946 if (thread != NULL) { 947 free(thread); 948 } 949 if (thr_data != NULL) { 950 free(thr_data); 951 } 953 return ARGON2_OK; 954 } 956 6. Test Vectors 958 This section contains test vectors for Argon2. 960 6.1. Argon2d Test Vectors 962 ======================================= 963 Argon2d version number 19 964 ======================================= 965 Memory: 32 KiB 966 Iterations: 3 967 Parallelism: 4 lanes 968 Tag length: 32 bytes 969 Password[32]: 01 01 01 01 01 01 01 01 970 01 01 01 01 01 01 01 01 971 01 01 01 01 01 01 01 01 972 01 01 01 01 01 01 01 01 973 Salt[16]: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 974 Secret[8]: 03 03 03 03 03 03 03 03 975 Associated data[12]: 04 04 04 04 04 04 04 04 04 04 04 04 976 Pre-hashing digest: b8 81 97 91 a0 35 96 60 977 bb 77 09 c8 5f a4 8f 04 978 d5 d8 2c 05 c5 f2 15 cc 979 db 88 54 91 71 7c f7 57 980 08 2c 28 b9 51 be 38 14 981 10 b5 fc 2e b7 27 40 33 982 b9 fd c7 ae 67 2b ca ac 983 5d 17 90 97 a4 af 31 09 985 After pass 0: 986 Block 0000 [ 0]: db2fea6b2c6f5c8a 987 Block 0000 [ 1]: 719413be00f82634 988 Block 0000 [ 2]: a1e3f6dd42aa25cc 989 Block 0000 [ 3]: 3ea8efd4d55ac0d1 990 ... 991 Block 0031 [124]: 28d17914aea9734c 992 Block 0031 [125]: 6a4622176522e398 993 Block 0031 [126]: 951aa08aeecb2c05 994 Block 0031 [127]: 6a6c49d2cb75d5b6 995 After pass 1: 996 Block 0000 [ 0]: d3801200410f8c0d 997 Block 0000 [ 1]: 0bf9e8a6e442ba6d 998 Block 0000 [ 2]: e2ca92fe9c541fcc 999 Block 0000 [ 3]: 6269fe6db177a388 1000 ... 1001 Block 0031 [124]: 9eacfcfbdb3ce0fc 1002 Block 0031 [125]: 07dedaeb0aee71ac 1003 Block 0031 [126]: 074435fad91548f4 1004 Block 0031 [127]: 2dbfff23f31b5883 1006 After pass 2: 1007 Block 0000 [ 0]: 5f047b575c5ff4d2 1008 Block 0000 [ 1]: f06985dbf11c91a8 1009 Block 0000 [ 2]: 89efb2759f9a8964 1010 Block 0000 [ 3]: 7486a73f62f9b142 1011 ... 1012 Block 0031 [124]: 57cfb9d20479da49 1013 Block 0031 [125]: 4099654bc6607f69 1014 Block 0031 [126]: f142a1126075a5c8 1015 Block 0031 [127]: c341b3ca45c10da5 1016 Tag: 51 2b 39 1b 6f 11 62 97 1017 53 71 d3 09 19 73 42 94 1018 f8 68 e3 be 39 84 f3 c1 1019 a1 3a 4d b9 fa be 4a cb 1021 6.2. Argon2i Test Vectors 1023 ======================================= 1024 Argon2i version number 19 1025 ======================================= 1026 Memory: 32 KiB 1027 Iterations: 3 1028 Parallelism: 4 lanes 1029 Tag length: 32 bytes 1030 Password[32]: 01 01 01 01 01 01 01 01 1031 01 01 01 01 01 01 01 01 1032 01 01 01 01 01 01 01 01 1033 01 01 01 01 01 01 01 01 1034 Salt[16]: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 1035 Secret[8]: 03 03 03 03 03 03 03 03 1036 Associated data[12]: 04 04 04 04 04 04 04 04 04 04 04 04 1037 Pre-hashing digest: c4 60 65 81 52 76 a0 b3 1038 e7 31 73 1c 90 2f 1f d8 1039 0c f7 76 90 7f bb 7b 6a 1040 5c a7 2e 7b 56 01 1f ee 1041 ca 44 6c 86 dd 75 b9 46 1042 9a 5e 68 79 de c4 b7 2d 1043 08 63 fb 93 9b 98 2e 5f 1044 39 7c c7 d1 64 fd da a9 1046 After pass 0: 1047 Block 0000 [ 0]: f8f9e84545db08f6 1048 Block 0000 [ 1]: 9b073a5c87aa2d97 1049 Block 0000 [ 2]: d1e868d75ca8d8e4 1050 Block 0000 [ 3]: 349634174e1aebcc 1051 ... 1052 Block 0031 [124]: 975f596583745e30 1053 Block 0031 [125]: e349bdd7edeb3092 1054 Block 0031 [126]: b751a689b7a83659 1055 Block 0031 [127]: c570f2ab2a86cf00 1057 After pass 1: 1058 Block 0000 [ 0]: b2e4ddfcf76dc85a 1059 Block 0000 [ 1]: 4ffd0626c89a2327 1060 Block 0000 [ 2]: 4af1440fff212980 1061 Block 0000 [ 3]: 1e77299c7408505b 1062 ... 1063 Block 0031 [124]: e4274fd675d1e1d6 1064 Block 0031 [125]: 903fffb7c4a14c98 1065 Block 0031 [126]: 7e5db55def471966 1066 Block 0031 [127]: 421b3c6e9555b79d 1068 After pass 2: 1069 Block 0000 [ 0]: af2a8bd8482c2f11 1070 Block 0000 [ 1]: 785442294fa55e6d 1071 Block 0000 [ 2]: 9256a768529a7f96 1072 Block 0000 [ 3]: 25a1c1f5bb953766 1073 ... 1074 Block 0031 [124]: 68cf72fccc7112b9 1075 Block 0031 [125]: 91e8c6f8bb0ad70d 1076 Block 0031 [126]: 4f59c8bd65cbb765 1077 Block 0031 [127]: 71e436f035f30ed0 1078 Tag: c8 14 d9 d1 dc 7f 37 aa 1079 13 f0 d7 7f 24 94 bd a1 1080 c8 de 6b 01 6d d3 88 d2 1081 99 52 a4 c4 67 2b 6c e8 1083 6.3. Argon2id Test Vectors 1084 ======================================= 1085 Argon2id version number 19 1086 ======================================= 1087 Memory: 32 KiB, Iterations: 3, Parallelism: 4 lanes, Tag length: 32 bytes 1088 Password[32]: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 1089 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 1090 Salt[16]: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 1091 Secret[8]: 03 03 03 03 03 03 03 03 1092 Associated data[12]: 04 04 04 04 04 04 04 04 04 04 04 04 1093 Pre-hashing digest: 28 89 de 48 7e b4 2a e5 00 c0 00 7e d9 25 2f 1094 10 69 ea de c4 0d 57 65 b4 85 de 6d c2 43 7a 67 b8 54 6a 2f 0a 1095 cc 1a 08 82 db 8f cf 74 71 4b 47 2e 94 df 42 1a 5d a1 11 2f fa 1096 11 43 43 70 a1 e9 97 1098 After pass 0: 1099 Block 0000 [ 0]: 6b2e09f10671bd43 1100 Block 0000 [ 1]: f69f5c27918a21be 1101 Block 0000 [ 2]: dea7810ea41290e1 1102 Block 0000 [ 3]: 6787f7171870f893 1103 ... 1104 Block 0031 [124]: 377fa81666dc7f2b 1105 Block 0031 [125]: 50e586398a9c39c8 1106 Block 0031 [126]: 6f732732a550924a 1107 Block 0031 [127]: 81f88b28683ea8e5 1109 After pass 1: 1110 Block 0000 [ 0]: 3653ec9d01583df9 1111 Block 0000 [ 1]: 69ef53a72d1e1fd3 1112 Block 0000 [ 2]: 35635631744ab54f 1113 Block 0000 [ 3]: 599512e96a37ab6e 1114 ... 1115 Block 0031 [124]: 4d4b435cea35caa6 1116 Block 0031 [125]: c582210d99ad1359 1117 Block 0031 [126]: d087971b36fd6d77 1118 Block 0031 [127]: a55222a93754c692 1120 After pass 2: 1121 Block 0000 [ 0]: 942363968ce597a4 1122 Block 0000 [ 1]: a22448c0bdad5760 1123 Block 0000 [ 2]: a5f80662b6fa8748 1124 Block 0000 [ 3]: a0f9b9ce392f719f 1125 ... 1126 Block 0031 [124]: d723359b485f509b 1127 Block 0031 [125]: cb78824f42375111 1128 Block 0031 [126]: 35bc8cc6e83b1875 1129 Block 0031 [127]: 0b012846a40f346a 1130 Tag: 0d 64 0d f5 8d 78 76 6c 08 c0 37 a3 4a 8b 53 c9 d0 1131 1e f0 45 2d 75 b6 5e b5 25 20 e9 6b 01 e6 59 1133 7. Acknowledgements 1135 We thank greatly the following authors who helped a lot in preparing 1136 and reviewing this document: Jean-Philippe Aumasson, Samuel Neves, 1137 Joel Alwen, Jeremiah Blocki, Bill Cox, Arnold Reinhold, Solar 1138 Designer, Russ Housley, Stanislav Smyshlyaev, Kenny Paterson, Alexey 1139 Melnikov. 1141 8. IANA Considerations 1143 None. 1145 9. Security Considerations 1147 9.1. Security as hash function and KDF 1149 The collision and preimage resistance levels of Argon2 are equivalent 1150 to those of the underlying BLAKE2b hash function. To produce a 1151 collision, 2^(256) inputs are needed. To find a preimage, 2^(512) 1152 inputs must be tried. 1154 The KDF security is determined by the key length and the size of the 1155 internal state of hash function H'. To distinguish the output of 1156 keyed Argon2 from random, minimum of (2^(128),2^length(K)) calls to 1157 BLAKE2b are needed. 1159 9.2. Security against time-space tradeoff attacks 1161 Time-space tradeoffs allow computing a memory-hard function storing 1162 fewer memory blocks at the cost of more calls to the internal 1163 comression function. The advantage of tradeoff attacks is measured 1164 in the reduction factor to the time-area product, where memory and 1165 extra compression function cores contribute to the area, and time is 1166 increased to accomodate the recomputation of missed blocks. A high 1167 reduction factor may potentially speed up preimage search. 1169 The best attacks on the 1-pass and 2-pass Argon2i is the low-storage 1170 attack described in [CBS16], which reduces the time-area product 1171 (using the peak memory value) by the factor of 5. The best attack on 1172 3-pass and more Argon2i is [AB16] with reduction factor being a 1173 function of memory size and the number of passes. For 1 gibibyte of 1174 memory: 3 for 3 passes, 2.5 for 4 passes, 2 for 6 passes. The 1175 reduction factor grows by about 0.5 with every doubling the memory 1176 size. To completely prevent time-space tradeoffs from [AB16], the 1177 number of passes must exceed binary logarithm of memory minus 26. 1178 Asymptotically, the best attack on 1-pass Argon2i is given in [BZ17] 1179 with maximal advantage of the adversary upper bounded by O(m^(0.233)) 1180 where m is the number of blocks. This attack is also asymptotically 1181 optimal as [BZ17] also prove the upper bound on any attack of 1182 O(m^(0.25)). 1184 The best tradeoff attack on t-pass Argon2d is the ranking tradeoff 1185 attack, which reduces the time-area product by the factor of 1.33. 1187 The best attack on Argon2id can be obtained by complementing the best 1188 attack on the 1-pass Argon2i with the best attack on a multi-pass 1189 Argon2d. Thus the best tradeoff attack on 1-pass Argon2id is the 1190 combined low-storage attack (for the first half of the memory) and 1191 the ranking attack (for the second half), which bring together the 1192 factor of about 2.1. The best tradeoff attack on t-pass Argon2id is 1193 the ranking tradeoff attack, which reduces the time-area product by 1194 the factor of 1.33. 1196 9.3. Security for time-bounded defenders 1198 A bottleneck in a system employing the password-hashing function is 1199 often the function latency rather than memory costs. A rational 1200 defender would then maximize the bruteforce costs for the attacker 1201 equipped with a list of hashes, salts, and timing information, for 1202 fixed computing time on the defender's machine. The attack cost 1203 estimates from [AB16] imply that for Argon2i, 3 passes is almost 1204 optimal for the most of reasonable memory sizes, and that for Argon2d 1205 and Argon2id, 1 pass maximizes the attack costs for the constant 1206 defender time. 1208 9.4. Recommendations 1210 The Argon2id variant with t=1 and maximum available memory is 1211 recommended as a default setting for all environments. This setting 1212 is secure against side-channel attacks and maximizes adversarial 1213 costs on dedicated bruteforce hardware. 1215 10. References 1217 10.1. Normative References 1219 [RFC7693] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 1220 Cryptographic Hash and Message Authentication Code (MAC)", 1221 RFC 7693, DOI 10.17487/RFC7693, November 2015, 1222 . 1224 10.2. Informative References 1226 [AB15] Biryukov, A. and D. Khovratovich, "Tradeoff Cryptanalysis 1227 of Memory-Hard Functions", Asiacrypt 2015, December 2015, 1228 . 1230 [AB16] Alwen, J. and J. Blocki, "Efficiently Computing Data- 1231 Independent Memory-Hard Functions", Crypto 2016, December 1232 2015, . 1234 [ARGON2] Biryukov, A., Dinu, D., and D. Khovratovich, "Argon2: the 1235 memory-hard function for password hashing and other 1236 applications", WWW www.cryptolux.org, October 2015, 1237 . 1239 [ARGON2ESP] 1240 Biryukov, A., Dinu, D., and D. Khovratovich, "Argon2: New 1241 Generation of Memory-Hard Functions for Password Hashing 1242 and Other Applications", Euro SnP 2016, March 2016, 1243 . 1245 [BLAKE2] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 1246 Cryptographic Hash and Message Authentication Code (MAC)", 1247 RFC 7693, November 2015, 1248 . 1250 [BZ17] Blocki, J. and S. Zhou, "On the Depth-Robustness and 1251 Cumulative Pebbling Cost of Argon2i", TCC 2017, May 2017, 1252 . 1254 [CBS16] Corrigan-Gibbs, H., Boneh, D., and S. Schechter, "Balloon 1255 Hashing: Provably Space-Hard Hash Functions with Data- 1256 Independent Access Patterns", Asiacrypt 2016, January 1257 2016, . 1259 [HARD] Alwen, J. and V. Serbinenko, "High Parallel Complexity 1260 Graphs and Memory-Hard Functions", STOC 2015, 2014, 1261 . 1263 Authors' Addresses 1265 Alex Biryukov 1266 University of Luxembourg 1268 Email: alex.biryukov@uni.lu 1270 Daniel Dinu 1271 University of Luxembourg 1273 Email: dumitru-daniel.dinu@uni.lu 1274 Dmitry Khovratovich 1275 ABDK Consulting 1277 Email: khovratovich@gmail.com 1279 Simon Josefsson 1280 SJD AB 1282 Email: simon@josefsson.org 1283 URI: http://josefsson.org/