idnits 2.17.1 draft-irtf-cfrg-argon2-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == It seems as if not all pages are separated by form feeds - found 29 form feeds but 35 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 17, 2019) is 1747 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 779 -- Looks like a reference, but probably isn't: '1' on line 696 -- Looks like a reference, but probably isn't: '2' on line 697 -- Looks like a reference, but probably isn't: '3' on line 698 -- Looks like a reference, but probably isn't: '4' on line 699 -- Looks like a reference, but probably isn't: '5' on line 700 -- Looks like a reference, but probably isn't: '32' on line 1110 -- Looks like a reference, but probably isn't: '16' on line 1112 -- Looks like a reference, but probably isn't: '8' on line 1113 -- Looks like a reference, but probably isn't: '12' on line 1114 -- Looks like a reference, but probably isn't: '124' on line 1148 -- Looks like a reference, but probably isn't: '125' on line 1149 -- Looks like a reference, but probably isn't: '126' on line 1150 -- Looks like a reference, but probably isn't: '127' on line 1151 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 16 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Biryukov 3 Internet-Draft D. Dinu 4 Intended status: Informational University of Luxembourg 5 Expires: December 19, 2019 D. Khovratovich 6 ABDK Consulting 7 S. Josefsson 8 SJD AB 9 June 17, 2019 11 The memory-hard Argon2 password hash and proof-of-work function 12 draft-irtf-cfrg-argon2-06 14 Abstract 16 This document describes the Argon2 memory-hard function for password 17 hashing and proof-of-work applications. We provide an implementer- 18 oriented description together with sample code and test vectors. The 19 purpose is to simplify adoption of Argon2 for Internet protocols. 20 This document is a product of the Crypto Forum Research Group (CFRG) 21 in the IRTF. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on December 19, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Notation and Conventions . . . . . . . . . . . . . . . . . . 3 59 3. Argon2 Algorithm . . . . . . . . . . . . . . . . . . . . . . 4 60 3.1. Argon2 Inputs and Outputs . . . . . . . . . . . . . . . . 4 61 3.2. Argon2 Operation . . . . . . . . . . . . . . . . . . . . 5 62 3.3. Variable-length hash function H' . . . . . . . . . . . . 7 63 3.4. Indexing . . . . . . . . . . . . . . . . . . . . . . . . 7 64 3.4.1. Getting the 32-bit values J_1 and J_2 . . . . . . . . 8 65 3.4.2. Mapping J_1 and J_2 to reference block index . . . . 9 66 3.5. Compression function G . . . . . . . . . . . . . . . . . 10 67 3.6. Permutation P . . . . . . . . . . . . . . . . . . . . . . 11 68 4. Parameter Choice . . . . . . . . . . . . . . . . . . . . . . 12 69 5. Example Code . . . . . . . . . . . . . . . . . . . . . . . . 14 70 6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 23 71 6.1. Argon2d Test Vectors . . . . . . . . . . . . . . . . . . 23 72 6.2. Argon2i Test Vectors . . . . . . . . . . . . . . . . . . 24 73 6.3. Argon2id Test Vectors . . . . . . . . . . . . . . . . . . 25 74 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 75 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 76 9. Security Considerations . . . . . . . . . . . . . . . . . . . 27 77 9.1. Security as hash function and KDF . . . . . . . . . . . . 27 78 9.2. Security against time-space tradeoff attacks . . . . . . 27 79 9.3. Security for time-bounded defenders . . . . . . . . . . . 28 80 9.4. Recommendations . . . . . . . . . . . . . . . . . . . . . 28 81 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 82 10.1. Normative References . . . . . . . . . . . . . . . . . . 28 83 10.2. Informative References . . . . . . . . . . . . . . . . . 29 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 86 1. Introduction 88 This document describes the Argon2 [ARGON2ESP] memory-hard function 89 for password hashing and proof-of-work applications. We provide an 90 implementer oriented description together with sample code and test 91 vectors. The purpose is to simplify adoption of Argon2 for Internet 92 protocols. This document corresponds to version 1.3 of the Argon2 93 hash function. 95 Argon2 summarizes the state of the art in the design of memory-hard 96 functions [HARD]. It is a streamlined and simple design. It aims at 97 the highest memory filling rate and effective use of multiple 98 computing units, while still providing defense against tradeoff 99 attacks. Argon2 is optimized for the x86 architecture and exploits 100 the cache and memory organization of the recent Intel and AMD 101 processors. Argon2 has one primary variant: Argon2id, and two 102 supplementary variants: Argon2d and Argon2i. Argon2d uses data- 103 dependent memory access, which makes it suitable for cryptocurrencies 104 and proof-of-work applications with no threats from side-channel 105 timing attacks. Argon2i uses data-independent memory access, which 106 is preferred for password hashing and password-based key derivation. 107 Argon2id works as Argon2i for the first half of the first iteration 108 over the memory, and as Argon2d for the rest, thus providing both 109 side-channel attack protection and brute-force cost savings due to 110 time-memory tradeoffs. Argon2i makes more passes over the memory to 111 protect from tradeoff attacks [AB15]. 113 Argon2 can be viewed as a mode of operation over a fixed-input-length 114 compression function G and a variable-input-length hash function H. 115 Even though Argon2 can be potentially used with arbitrary function H, 116 as long as it provides outputs up to 64 bytes, in this document it 117 MUST be BLAKE2b [BLAKE2]. 119 For further background and discussion, see the Argon2 paper [ARGON2]. 121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 123 document are to be interpreted as described in RFC 2119 [RFC2119]. 125 This document represents the consensus of the Crypto Forum Research 126 Group (CFRG). 128 2. Notation and Conventions 130 x^y --- integer x multiplied by itself integer y times 132 a*b --- multiplication of integer a and integer b 134 c-d --- substraction of integer c with integer d 136 E_f --- variable E with subscript index f 138 g / h --- integer g divided by integer h. The result is rational 139 number 141 I(j) --- function I evaluated on integer parameter j 143 K || L --- string K concatenated with string L 144 a XOR b --- bitwise exclusive-or between bitstrings a and b 146 a mod b --- remainder of integer a modulo integer b, always in range 147 [0, b-1] 149 a >>> n --- rotation of 64-bit string a to the right by n bits 151 trunc(a) --- the 64-bit value, truncated to the 32 least significant 152 bits 154 floor(a) --- the largest integer not bigger than a 156 ceil(a) --- the smallest integer not smaller than a 158 extract(a, i) --- the i-th set of 32-bits from bitstring a, starting 159 from 0-th 161 |A| --- the number of elements in set A 163 LE32(a) --- 32-bit integer a converted to bytestring in little 164 endian. Example: 123456 (decimal) is 40 E2 01 00. 166 LE64(a) --- 64-bit integer a converted to bytestring in little 167 endian. Example: 123456 (decimal) is 40 E2 01 00 00 00 00 00. 169 int32(s) --- 32-bit string s is converted to non-negative integer in 170 little endian. 172 int64(s) --- 64-bit string s is converted to non-negative integer in 173 little endian. 175 length(P) --- the bytelength of string P expressed as 32-bit integer 177 3. Argon2 Algorithm 179 3.1. Argon2 Inputs and Outputs 181 Argon2 has the following input parameters: 183 o Message string P, which is a password for password hashing 184 applications. MUST have length from 0 to 2^(32) - 1 bytes. 186 o Nonce S, which is a salt for password hashing applications. MUST 187 have length not greater than 2^(32)-1 bytes. 16 bytes is 188 RECOMMENDED for password hashing. Salt SHOULD be unique for each 189 password. 191 o Degree of parallelism p determines how many independent (but 192 synchronizing) computational chains (lanes) can be run. It MUST 193 be an integer value from 1 to 2^(24)-1. 195 o Tag length T MUST be an integer number of bytes from 4 to 2^(32)- 196 1. 198 o Memory size m MUST be an integer number of kibibytes from 8*p to 199 2^(32)-1. The actual number of blocks is m', which is m rounded 200 down to the nearest multiple of 4*p. 202 o Number of iterations t (used to tune the running time 203 independently of the memory size) MUST be an integer number from 1 204 to 2^(32)-1. 206 o Version number v MUST be one byte 0x13. 208 o Secret value K is OPTIONAL. If used, it MUST have length not 209 greater than 2^(32)-1 bytes. 211 o Associated data X is OPTIONAL. If used, it MUST have length not 212 greater than 2^(32)-1 bytes. 214 o Type y of Argon2: MUST be 0 for Argon2d, 1 for Argon2i, 2 for 215 Argon2id. 217 The Argon2 output, or "tag" is a string T bytes long. 219 3.2. Argon2 Operation 221 Argon2 uses an internal compression function G with two 1024-byte 222 inputs and a 1024-byte output, and an internal hash function H^x() 223 with x being its output length in bytes. Here H^x() applied to 224 string A is the BLAKE2b [BLAKE2] function, which takes 225 (d,|dd|,kk=0,nn=x) as parameters where d is A padded to a multiple of 226 128 bytes and partitioned into 128-byte blocks. The compression 227 function G is based on its internal permutation. A variable-length 228 hash function H' built upon H is also used. G is described in 229 Section Section 3.5 and H' is described in Section Section 3.3. 231 The Argon2 operation is as follows. 233 1. Establish H_0 as the 64-byte value as shown below. 235 H_0 = H^(64)(LE32(p) || LE32(T) || LE32(m) || LE32(t) || 236 LE32(v) || LE32(y) || LE32(length(P)) || P || 237 LE32(length(S)) || S || LE32(length(K)) || K || 238 LE32(length(X)) || X) 240 H_0 generation 242 2. Allocate the memory as m' 1024-byte blocks where m' is derived 243 as: 245 m' = 4 * p * floor (m / 4p) 247 Memory allocation 249 For p lanes, the memory is organized in a matrix B[i][j] of 250 blocks with p rows (lanes) and q = m' / p columns. 252 3. Compute B[i][0] for all i ranging from (and including) 0 to (not 253 including) p. 255 B[i][0] = H'^(128)(H_0 || LE32(0) || LE32(i)) 257 Lane starting blocks 259 4. Compute B[i][1] for all i ranging from (and including) 0 to (not 260 including) p. 262 B[i][1] = H'^(128)(H_0 || LE32(1) || LE32(i)) 264 Second lane blocks 266 5. Compute B[i][j] for all i ranging from (and including) 0 to (not 267 including) p, and for all j ranging from (and including) 2) to 268 (not including) q. The block indices l and z are determined for 269 each i, j differently for Argon2d, Argon2i, and Argon2id 270 (Section Section 3.4). 272 B[i][j] = G(B[i][j-1], B[l][z]) 274 Further block generation 276 6. If the number of iterations t is larger than 1, we repeat the 277 steps however replacing the computations with the following 278 expression: 280 B[i][0] = G(B[i][q-1], B[l][z]) 281 B[i][j] = G(B[i][j-1], B[l][z]) 283 Further passes 285 7. After t steps have been iterated, the final block C is computed 286 as the XOR of the last column: 288 C = B[0][q-1] XOR B[1][q-1] XOR ... XOR B[p-1][q-1] 290 Final block 292 8. The output tag is computed as H'^T(C). 294 3.3. Variable-length hash function H' 296 Let V_i be a 64-byte block, and W_i be its first 32 bytes. Then we 297 define: 299 if T <= 64 300 H'^T(A) = H^T(LE32(T)||A) 301 else 302 r = ceil(T/32)-2 303 V_1 = H^(64)(LE32(T)||A) 304 V_2 = H^(64)(V_1) 305 ... 306 V_r = H^(64)(V_{r-1}) 307 V_{r+1} = H^(T-32*r)(V_{r}) 308 H'^T(X) = W_1 || W_2 || ... || W_r || V_{r+1} 310 Tag computation 312 3.4. Indexing 314 To enable parallel block computation, we further partition the memory 315 matrix into S = 4 vertical slices. The intersection of a slice and a 316 lane is a segment of length q/S. Segments of the same slice can be 317 computed in parallel and do not reference blocks from each other. 318 All other blocks can be referenced. 320 slice 0 slice 1 slice 2 slice 3 321 ___/\___ ___/\___ ___/\___ ___/\___ 322 / \ / \ / \ / \ 323 +----------+----------+----------+----------+ 324 | | | | | > lane 0 325 +----------+----------+----------+----------+ 326 | | | | | > lane 1 327 +----------+----------+----------+----------+ 328 | | | | | > lane 2 329 +----------+----------+----------+----------+ 330 | ... ... ... | ... 331 +----------+----------+----------+----------+ 332 | | | | | > lane p - 1 333 +----------+----------+----------+----------+ 335 Single-pass Argon2 with p lanes and 4 slices 337 3.4.1. Getting the 32-bit values J_1 and J_2 339 3.4.1.1. Argon2d 341 J_1 is given by the first 32 bits of block B[i][j-1], while J_2 is 342 given by the next 32-bits of block B[i][j-1]: 344 J_1 = int32(extract(B[i][j-1], 1)) 345 J_2 = int32(extract(B[i][j-1], 2)) 347 Deriving J1,J2 in Argon2d 349 3.4.1.2. Argon2i 351 Each application of the 2-round compression function G in the counter 352 mode gives 128 64-bit values X, which are viewed as X1||X2 and 353 converted to J_1=int32(X1) and J_2=int32(X2). The first input to G 354 is the all zero block and the second input to G is constructed as 355 follows: 357 ( LE64(r) || LE64(l) || LE64(s) || LE64(m') || 358 LE64(t) || LE64(y) || LE64(i) || ZERO ), where 360 r -- the pass number 361 l -- the lane number 362 s -- the slice number 363 m' -- the total number of memory blocks 364 t -- the total number of passes 365 y -- the Argon2 type (0 for Argon2d, 366 1 for Argon2i, 2 for Argon2id) 367 i -- the counter (starts from 1 in each segment) 368 ZERO -- the 968-byte zero string. 370 Input to compute J1,J2 in Argon2i 372 The values r, l, s, m', t, x, i are represented as 8 bytes in little- 373 endian. 375 3.4.1.3. Argon2id 377 If the pass number is 0 and the slice number is 0 or 1, then compute 378 J_1 and J_2 as for Argon2i, else compute J_1 and J_2 as for Argon2d. 380 3.4.2. Mapping J_1 and J_2 to reference block index 382 The value of l = J_2 mod p gives the index of the lane from which the 383 block will be taken. For the firt pass (r=0) and the first slice 384 (s=0) the block is taken from the current lane. 386 The set W contains the indices that can be referenced according to 387 the following rules: 389 1. If l is the current lane, then W includes the indices of all 390 blocks in the last S - 1 = 3 segments computed and finished, as 391 well as the blocks computed in the current segment in the current 392 pass excluding B[i][j-1]. 394 2. If l is not the current lane, then W includes the indices of all 395 blocks in the last S - 1 = 3 segments computed and finished in 396 lane l. If B[i][j] is the first block of a segment, then the 397 very last index from W is excluded. 399 We are going to take a block from W with a non-uniform distribution 400 over [0, |W|) using the mapping 402 J_1 -> |W|(1 - J_1^2 / 2^(64)) 404 Computing J1 406 To avoid floating point computation, the following approximation is 407 used: 409 x = J_1^2 / 2^(32) 410 y = (|W| * x) / 2^(32) 411 z = |W| - 1 - y 413 Computing J1, part 2 415 The value of z gives the reference block index in W. 417 3.5. Compression function G 419 Compression function G is built upon the BLAKE2b round function P. P 420 operates on the 128-byte input, which can be viewed as 8 16-byte 421 registers: 423 P(A_0, A_1, ... ,A_7) = (B_0, B_1, ... ,B_7) 425 Blake round function P 427 Compression function G(X, Y) operates on two 1024-byte blocks X and 428 Y. It first computes R = X XOR Y. Then R is viewed as a 8x8 matrix 429 of 16-byte registers R_0, R_1, ... , R_63. Then P is first applied 430 to each row, and then to each column to get Z: 432 ( Q_0, Q_1, Q_2, ... , Q_7) <- P( R_0, R_1, R_2, ... , R_7) 433 ( Q_8, Q_9, Q_10, ... , Q_15) <- P( R_8, R_9, R_10, ... , R_15) 434 ... 435 (Q_56, Q_57, Q_58, ... , Q_63) <- P(R_56, R_57, R_58, ... , R_63) 436 ( Z_0, Z_8, Z_16, ... , Z_56) <- P( Q_0, Q_8, Q_16, ... , Q_56) 437 ( Z_1, Z_9, Z_17, ... , Z_57) <- P( Q_1, Q_9, Q_17, ... , Q_57) 438 ... 439 ( Z_7, Z_15, Z 23, ... , Z_63) <- P( Q_7, Q_15, Q_23, ... , Q_63) 441 Core of compression function G 443 Finally, G outputs Z XOR R: 445 G: (X, Y) -> R -> Q -> Z -> Z XOR R 446 +---+ +---+ 447 | X | | Y | 448 +---+ +---+ 449 | | 450 ---->XOR<---- 451 --------| 452 | \ / 453 | +---+ 454 | | R | 455 | +---+ 456 | | 457 | \ / 458 | P rowwise 459 | | 460 | \ / 461 | +---+ 462 | | Q | 463 | +---+ 464 | | 465 | \ / 466 | P columnwise 467 | | 468 | \ / 469 | +---+ 470 | | Z | 471 | +---+ 472 | | 473 | \ / 474 ------>XOR 475 | 476 \ / 478 Argon2 compression function G. 480 3.6. Permutation P 482 Permutation P is based on the round function of BLAKE2b. The 8 483 16-byte inputs S_0, S_1, ... , S_7 are viewed as a 4x4 matrix of 484 64-bit words, where S_i = (v_{2*i+1} || v_{2*i}): 486 v_0 v_1 v_2 v_3 487 v_4 v_5 v_6 v_7 488 v_8 v_9 v_10 v_11 489 v_12 v_13 v_14 v_15 491 Matrix element labeling 493 It works as follows: 495 GB(v_0, v_4, v_8, v_12) 496 GB(v_1, v_5, v_9, v_13) 497 GB(v_2, v_6, v_10, v_14) 498 GB(v_3, v_7, v_11, v_15) 500 GB(v_0, v_5, v_10, v_15) 501 GB(v_1, v_6, v_11, v_12) 502 GB(v_2, v_7, v_8, v_13) 503 GB(v_3, v_4, v_9, v_14) 505 Feeding matrix elements to GB 507 GB(a, b, c, d) is defined as follows: 509 a = (a + b + 2 * trunc(a) * trunc(b)) mod 2^(64) 510 d = (d XOR a) >>> 32 511 c = (c + d + 2 * trunc(c) * trunc(d)) mod 2^(64) 512 b = (b XOR c) >>> 24 514 a = (a + b + 2 * trunc(a) * trunc(b)) mod 2^(64) 515 d = (d XOR a) >>> 16 516 c = (c + d + 2 * trunc(c) * trunc(d)) mod 2^(64) 517 b = (b XOR c) >>> 63 519 Details of GB 521 The modular additions in GB are combined with 64-bit multiplications. 522 Multiplications are the only difference to the original BLAKE2b 523 design. This choice is done to increase the circuit depth and thus 524 the running time of ASIC implementations, while having roughly the 525 same running time on CPUs thanks to parallelism and pipelining. 527 4. Parameter Choice 529 Argon2d is optimized for settings where the adversary does not get 530 regular access to system memory or CPU, i.e. he can not run side- 531 channel attacks based on the timing information, nor he can recover 532 the password much faster using garbage collection. These settings 533 are more typical for backend servers and cryptocurrency minings. For 534 practice we suggest the following settings: 536 o Cryptocurrency mining, that takes 0.1 seconds on a 2 Ghz CPU using 537 1 core -- Argon2d with 2 lanes and 250 MB of RAM. 539 Argon2id is optimized for more realistic settings, where the 540 adversary possibly can access the same machine, use its CPU or mount 541 cold-boot attacks. We suggest the following settings: 543 o Backend server authentication, that takes 0.5 seconds on a 2 GHz 544 CPU using 4 cores -- Argon2id with 8 lanes and 4 GiB of RAM. 546 o Key derivation for hard-drive encryption, that takes 3 seconds on 547 a 2 GHz CPU using 2 cores - Argon2id with 4 lanes and 6 GiB of 548 RAM. 550 o Frontend server authentication, that takes 0.5 seconds on a 2 GHz 551 CPU using 2 cores - Argon2id with 4 lanes and 1 GiB of RAM. 553 We recommend the following procedure to select the type and the 554 parameters for practical use of Argon2. 556 1. Select the type y. If you do not know the difference between 557 them or you consider side-channel attacks as viable threat, 558 choose Argon2id. 560 2. Figure out the maximum number h of threads that can be initiated 561 by each call to Argon2. 563 3. Figure out the maximum amount m of memory that each call can 564 afford. 566 4. Figure out the maximum amount x of time (in seconds) that each 567 call can afford. 569 5. Select the salt length. 128 bits is sufficient for all 570 applications, but can be reduced to 64 bits in the case of space 571 constraints. 573 6. Select the tag length. 128 bits is sufficient for most 574 applications, including key derivation. If longer keys are 575 needed, select longer tags. 577 7. If side-channel attacks are a viable threat, or if you're 578 uncertain, enable the memory wiping option in the library call. 580 8. Run the scheme of type y, memory m and h lanes and threads, using 581 different number of passes t. Figure out the maximum t such that 582 the running time does not exceed x. If it exceeds x even for t = 583 1, reduce m accordingly. 585 9. Hash all the passwords with the just determined values m, h, and 586 t. 588 5. Example Code 589 void fill_block(const block *prev_block, 590 const block *ref_block, 591 block *next_block) { 592 block blockR, block_tmp; 593 unsigned i; 595 copy_block(&blockR, ref_block); 596 xor_block(&blockR, prev_block); 597 copy_block(&block_tmp, &blockR); 599 /* Now blockR = ref_block + prev_block and bloc_tmp = ref_block + 600 prev_block */ 602 /* Apply Blake2 on columns of 64-bit words: (0,1,...,15), 603 then (16,17,..31)... finally (112,113,...127) */ 604 for (i = 0; i < 8; ++i) { 605 BLAKE2_ROUND_NOMSG( 606 blockR.v[16 * i], blockR.v[16 * i + 1], 607 blockR.v[16 * i + 2], blockR.v[16 * i + 3], 608 blockR.v[16 * i + 4], blockR.v[16 * i + 5], 609 blockR.v[16 * i + 6], blockR.v[16 * i + 7], 610 blockR.v[16 * i + 8], blockR.v[16 * i + 9], 611 blockR.v[16 * i + 10], blockR.v[16 * i + 11], 612 blockR.v[16 * i + 12], blockR.v[16 * i + 13], 613 blockR.v[16 * i + 14], blockR.v[16 * i + 15]); 614 } 616 /* Apply Blake2 on rows of 64-bit words: (0,1,16,17,...112,113), 617 then (2,3,18,19,...,114,115), ... and finally 618 (14,15,30,31,...,126,127) */ 619 for (i = 0; i < 8; i++) { 620 BLAKE2_ROUND_NOMSG( 621 blockR.v[2 * i], blockR.v[2 * i + 1], 622 blockR.v[2 * i + 16], blockR.v[2 * i + 17], 623 blockR.v[2 * i + 32], blockR.v[2 * i + 33], 624 blockR.v[2 * i + 48], blockR.v[2 * i + 49], 625 blockR.v[2 * i + 64], blockR.v[2 * i + 65], 626 blockR.v[2 * i + 80], blockR.v[2 * i + 81], 627 blockR.v[2 * i + 96], blockR.v[2 * i + 97], 628 blockR.v[2 * i + 112], blockR.v[2 * i + 113]); 629 } 631 copy_block(next_block, &block_tmp); 632 xor_block(next_block, &blockR); 633 } 635 Example code 637 void fill_block_with_xor(const block *prev_block, 638 const block *ref_block, 639 block *next_block) { 640 block blockR, block_tmp; 641 unsigned i; 643 copy_block(&blockR, ref_block); 644 xor_block(&blockR, prev_block); 645 copy_block(&block_tmp, &blockR); 647 /* Saving the next block contents for XOR over */ 648 xor_block(&block_tmp, next_block); 650 /* Now blockR = ref_block + prev_block and bloc_tmp = ref_block + 651 prev_block + next_block*/ 652 /* Apply Blake2 on columns of 64-bit words: (0,1,...,15) , then 653 (16,17,..31),... and finally (112,113,...127) */ 654 for (i = 0; i < 8; ++i) { 655 BLAKE2_ROUND_NOMSG( 656 blockR.v[16 * i], blockR.v[16 * i + 1], 657 blockR.v[16 * i + 2], blockR.v[16 * i + 3], 658 blockR.v[16 * i + 4], blockR.v[16 * i + 5], 659 blockR.v[16 * i + 6], blockR.v[16 * i + 7], 660 blockR.v[16 * i + 8], blockR.v[16 * i + 9], 661 blockR.v[16 * i + 10], blockR.v[16 * i + 11], 662 blockR.v[16 * i + 12], blockR.v[16 * i + 13], 663 blockR.v[16 * i + 14], blockR.v[16 * i + 15]); 664 } 666 /* Apply Blake2 on rows of 64-bit words: 667 (0,1,16,17,...112,113), then 668 (2,3,18,19,...,114,115), ... and finally 669 (14,15,30,31,...,126,127) */ 670 for (i = 0; i < 8; i++) { 671 BLAKE2_ROUND_NOMSG( 672 blockR.v[2 * i], blockR.v[2 * i + 1], 673 blockR.v[2 * i + 16], blockR.v[2 * i + 17], 674 blockR.v[2 * i + 32], blockR.v[2 * i + 33], 675 blockR.v[2 * i + 48], blockR.v[2 * i + 49], 676 blockR.v[2 * i + 64], blockR.v[2 * i + 65], 677 blockR.v[2 * i + 80], blockR.v[2 * i + 81], 678 blockR.v[2 * i + 96], blockR.v[2 * i + 97], 679 blockR.v[2 * i + 112], blockR.v[2 * i + 113]); 680 } 682 copy_block(next_block, &block_tmp); 683 xor_block(next_block, &blockR); 684 } 685 void generate_addresses(const argon2_instance_t *instance, 686 const argon2_position_t *position, 687 uint64_t *pseudo_rands) { 688 block zero_block, input_block, address_block,tmp_block; 689 uint32_t i; 691 init_block_value(&zero_block, 0); 692 init_block_value(&input_block, 0); 694 if (instance != NULL && position != NULL) { 695 input_block.v[0] = position->pass; 696 input_block.v[1] = position->lane; 697 input_block.v[2] = position->slice; 698 input_block.v[3] = instance->memory_blocks; 699 input_block.v[4] = instance->passes; 700 input_block.v[5] = instance->type; 702 for (i = 0; i < instance->segment_length; ++i) { 703 if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) { 704 input_block.v[6]++; 705 init_block_value(&tmp_block, 0); 706 init_block_value(&address_block, 0); 707 fill_block_with_xor(&zero_block, &input_block, 708 &tmp_block); 709 fill_block_with_xor(&zero_block, &tmp_block, 710 &address_block); 711 } 713 pseudo_rands[i] = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK]; 714 } 715 } 717 void fill_segment(const argon2_instance_t *instance, 718 argon2_position_t position) { 719 block *ref_block = NULL, *curr_block = NULL; 720 uint64_t pseudo_rand, ref_index, ref_lane; 721 uint32_t prev_offset, curr_offset; 722 uint32_t starting_index; 723 uint32_t i; 724 int data_independent_addressing; 726 /* Pseudo-random values that determine the reference block 727 position */ 728 uint64_t *pseudo_rands = NULL; 729 if (instance == NULL) { 730 return; 731 } 733 data_independent_addressing = (instance->type == Argon2_i); 735 pseudo_rands = (uint64_t *)malloc(sizeof(uint64_t) * 736 (instance->segment_length)); 738 if (pseudo_rands == NULL) { 739 return; 740 } 742 if (data_independent_addressing) { 743 generate_addresses(instance, &position, pseudo_rands); 744 } 746 starting_index = 0; 748 if ((0 == position.pass) && (0 == position.slice)) { 749 /* we have already generated the first two blocks */ 750 starting_index = 2; 751 } 753 /* Offset of the current block */ 754 curr_offset = position.lane * instance->lane_length + 755 position.slice * instance->segment_length + 756 starting_index; 758 if (0 == curr_offset % instance->lane_length) { 759 /* Last block in this lane */ 760 prev_offset = curr_offset + instance->lane_length - 1; 761 } else { 762 /* Previous block */ 763 prev_offset = curr_offset - 1; 764 } 766 for (i = starting_index; i < instance->segment_length; 767 ++i, ++curr_offset, ++prev_offset) { 768 /*1.1 Rotating prev_offset if needed */ 769 if (curr_offset % instance->lane_length == 1) { 770 prev_offset = curr_offset - 1; 771 } 773 /* 1.2 Computing the index of the reference block */ 774 /* 1.2.1 Taking pseudo-random value from the previous block */ 775 if (data_independent_addressing) { 776 pseudo_rand = pseudo_rands[i]; 778 } else { 779 pseudo_rand = instance->memory[prev_offset].v[0]; 780 } 782 /* 1.2.2 Computing the lane of the reference block */ 783 ref_lane = ((pseudo_rand >> 32)) % instance->lanes; 785 if ((position.pass == 0) && (position.slice == 0)) { 786 /* Can not reference other lanes yet */ 787 ref_lane = position.lane; 788 } 790 /* 1.2.3 Computing the number of possible reference block 791 within the lane. */ 792 position.index = i; 793 ref_index = index_alpha(instance, &position, 794 pseudo_rand & 0xFFFFFFFF, 795 ref_lane == position.lane); 797 /* 2 Creating a new block */ 798 ref_block = instance->memory + 799 instance->lane_length * ref_lane + ref_index; 800 curr_block = instance->memory + curr_offset; 801 if (instance->version == ARGON2_OLD_VERSION_NUMBER) { 802 /* version 1.2.1 and earlier: overwrite, not XOR */ 803 fill_block(instance->memory + prev_offset, ref_block, 804 curr_block); 805 } else { 806 if(0 == position.pass) { 807 fill_block(instance->memory + prev_offset, ref_block, 808 curr_block); 809 } else { 810 fill_block_with_xor(instance->memory + prev_offset, 811 ref_block, curr_block); 812 } 813 } 814 } 816 free(pseudo_rands); 817 } 819 uint32_t index_alpha(const argon2_instance_t *instance, 820 const argon2_position_t *position, 821 uint32_t pseudo_rand, 822 int same_lane) { 823 /* 824 * Pass 0: 825 * This lane : all already finished segments plus already 826 * constructed blocks in this segment 827 * Other lanes : all already finished segments 828 * Pass 1+: 829 * This lane : (SYNC_POINTS - 1) last segments plus 830 * already constructed blocks in this segment 831 * Other lanes : (SYNC_POINTS - 1) last segments 832 */ 833 uint32_t reference_area_size; 834 uint64_t relative_position; 835 uint32_t start_position, absolute_position; 837 if (0 == position->pass) { 838 /* First pass */ 839 if (0 == position->slice) { 840 /* First slice */ 841 reference_area_size = 842 position->index - 1; /* all but the previous */ 843 } else { 844 if (same_lane) { 845 /* The same lane => add current segment */ 846 reference_area_size = position->slice * 847 instance->segment_length + 848 position->index - 1; 849 } else { 850 reference_area_size = position->slice * 851 instance->segment_length + 852 ((position->index == 0) ? (-1) : 0); 853 } 854 } 855 } else { 856 /* Second pass */ 857 if (same_lane) { 858 reference_area_size = instance->lane_length - 859 instance->segment_length + 860 position->index - 1; 861 } else { 862 reference_area_size = instance->lane_length - 863 instance->segment_length + 864 ((position->index == 0) ? (-1) : 0); 865 } 866 } 868 /* 1.2.4. Mapping pseudo_rand to 0.. 869 and produce relative position */ 870 relative_position = pseudo_rand; 871 relative_position = relative_position * relative_position >> 32; 872 relative_position = reference_area_size - 1 - 873 (reference_area_size * relative_position >> 32); 875 /* 1.2.5 Computing starting position */ 876 start_position = 0; 878 if (0 != position->pass) { 879 start_position = (position->slice == ARGON2_SYNC_POINTS - 1) 880 ? 0 881 : (position->slice + 1) * 882 instance->segment_length; 883 } 885 /* 1.2.6. Computing absolute position */ 886 absolute_position = (start_position + relative_position) % 887 instance->lane_length; /* absolute position */ 888 return absolute_position; 889 } 891 int fill_memory_blocks(argon2_instance_t *instance) { 892 uint32_t r, s; 893 argon2_thread_handle_t *thread = NULL; 894 argon2_thread_data *thr_data = NULL; 896 if (instance == NULL || instance->lanes == 0) { 897 return ARGON2_THREAD_FAIL; 898 } 900 /* 1. Allocating space for threads */ 901 thread = calloc(instance->lanes, sizeof(argon2_thread_handle_t)); 902 if (thread == NULL) { 903 return ARGON2_MEMORY_ALLOCATION_ERROR; 904 } 906 thr_data = calloc(instance->lanes, sizeof(argon2_thread_data)); 907 if (thr_data == NULL) { 908 free(thread); 909 return ARGON2_MEMORY_ALLOCATION_ERROR; 910 } 912 for (r = 0; r < instance->passes; ++r) { 913 for (s = 0; s < ARGON2_SYNC_POINTS; ++s) { 914 int rc; 915 uint32_t l; 917 /* 2. Calling threads */ 918 for (l = 0; l < instance->lanes; ++l) { 919 argon2_position_t position; 921 /* 2.1 Join a thread if limit is exceeded */ 922 if (l >= instance->threads) { 923 rc = argon2_thread_join(thread[l - instance->threads]); 924 if (rc) { 925 free(thr_data); 926 free(thread); 927 return ARGON2_THREAD_FAIL; 928 } 929 } 931 /* 2.2 Create thread */ 932 position.pass = r; 933 position.lane = l; 934 position.slice = (uint8_t)s; 935 position.index = 0; 936 /* preparing the thread input */ 937 thr_data[l].instance_ptr = instance; 938 memcpy(&(thr_data[l].pos), &position, 939 sizeof(argon2_position_t)); 940 rc = argon2_thread_create(&thread[l], &fill_segment_thr, 941 (void *)&thr_data[l]); 942 if (rc) { 943 free(thr_data); 944 free(thread); 945 return ARGON2_THREAD_FAIL; 946 } 948 /* fill_segment(instance, position); */ 949 /*Non-thread equivalent of the lines above */ 950 } 952 /* 3. Joining remaining threads */ 953 for (l = instance->lanes - instance->threads; l < 954 instance->lanes; ++l) 955 { 956 rc = argon2_thread_join(thread[l]); 957 if (rc) { 958 return ARGON2_THREAD_FAIL; 959 } 960 } 961 } 962 } 964 if (thread != NULL) { 965 free(thread); 967 } 968 if (thr_data != NULL) { 969 free(thr_data); 970 } 972 return ARGON2_OK; 973 } 975 6. Test Vectors 977 This section contains test vectors for Argon2. 979 6.1. Argon2d Test Vectors 981 ======================================= 982 Argon2d version number 19 983 ======================================= 984 Memory: 32 KiB 985 Iterations: 3 986 Parallelism: 4 lanes 987 Tag length: 32 bytes 988 Password[32]: 01 01 01 01 01 01 01 01 989 01 01 01 01 01 01 01 01 990 01 01 01 01 01 01 01 01 991 01 01 01 01 01 01 01 01 992 Salt[16]: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 993 Secret[8]: 03 03 03 03 03 03 03 03 994 Associated data[12]: 04 04 04 04 04 04 04 04 04 04 04 04 995 Pre-hashing digest: b8 81 97 91 a0 35 96 60 996 bb 77 09 c8 5f a4 8f 04 997 d5 d8 2c 05 c5 f2 15 cc 998 db 88 54 91 71 7c f7 57 999 08 2c 28 b9 51 be 38 14 1000 10 b5 fc 2e b7 27 40 33 1001 b9 fd c7 ae 67 2b ca ac 1002 5d 17 90 97 a4 af 31 09 1004 After pass 0: 1005 Block 0000 [ 0]: db2fea6b2c6f5c8a 1006 Block 0000 [ 1]: 719413be00f82634 1007 Block 0000 [ 2]: a1e3f6dd42aa25cc 1008 Block 0000 [ 3]: 3ea8efd4d55ac0d1 1009 ... 1010 Block 0031 [124]: 28d17914aea9734c 1011 Block 0031 [125]: 6a4622176522e398 1012 Block 0031 [126]: 951aa08aeecb2c05 1013 Block 0031 [127]: 6a6c49d2cb75d5b6 1015 After pass 1: 1016 Block 0000 [ 0]: d3801200410f8c0d 1017 Block 0000 [ 1]: 0bf9e8a6e442ba6d 1018 Block 0000 [ 2]: e2ca92fe9c541fcc 1019 Block 0000 [ 3]: 6269fe6db177a388 1020 ... 1021 Block 0031 [124]: 9eacfcfbdb3ce0fc 1022 Block 0031 [125]: 07dedaeb0aee71ac 1023 Block 0031 [126]: 074435fad91548f4 1024 Block 0031 [127]: 2dbfff23f31b5883 1026 After pass 2: 1027 Block 0000 [ 0]: 5f047b575c5ff4d2 1028 Block 0000 [ 1]: f06985dbf11c91a8 1029 Block 0000 [ 2]: 89efb2759f9a8964 1030 Block 0000 [ 3]: 7486a73f62f9b142 1031 ... 1032 Block 0031 [124]: 57cfb9d20479da49 1033 Block 0031 [125]: 4099654bc6607f69 1034 Block 0031 [126]: f142a1126075a5c8 1035 Block 0031 [127]: c341b3ca45c10da5 1036 Tag: 51 2b 39 1b 6f 11 62 97 1037 53 71 d3 09 19 73 42 94 1038 f8 68 e3 be 39 84 f3 c1 1039 a1 3a 4d b9 fa be 4a cb 1041 6.2. Argon2i Test Vectors 1043 ======================================= 1044 Argon2i version number 19 1045 ======================================= 1046 Memory: 32 KiB 1047 Iterations: 3 1048 Parallelism: 4 lanes 1049 Tag length: 32 bytes 1050 Password[32]: 01 01 01 01 01 01 01 01 1051 01 01 01 01 01 01 01 01 1052 01 01 01 01 01 01 01 01 1053 01 01 01 01 01 01 01 01 1054 Salt[16]: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 1055 Secret[8]: 03 03 03 03 03 03 03 03 1056 Associated data[12]: 04 04 04 04 04 04 04 04 04 04 04 04 1057 Pre-hashing digest: c4 60 65 81 52 76 a0 b3 1058 e7 31 73 1c 90 2f 1f d8 1059 0c f7 76 90 7f bb 7b 6a 1060 5c a7 2e 7b 56 01 1f ee 1061 ca 44 6c 86 dd 75 b9 46 1062 9a 5e 68 79 de c4 b7 2d 1063 08 63 fb 93 9b 98 2e 5f 1064 39 7c c7 d1 64 fd da a9 1066 After pass 0: 1067 Block 0000 [ 0]: f8f9e84545db08f6 1068 Block 0000 [ 1]: 9b073a5c87aa2d97 1069 Block 0000 [ 2]: d1e868d75ca8d8e4 1070 Block 0000 [ 3]: 349634174e1aebcc 1071 ... 1072 Block 0031 [124]: 975f596583745e30 1073 Block 0031 [125]: e349bdd7edeb3092 1074 Block 0031 [126]: b751a689b7a83659 1075 Block 0031 [127]: c570f2ab2a86cf00 1077 After pass 1: 1078 Block 0000 [ 0]: b2e4ddfcf76dc85a 1079 Block 0000 [ 1]: 4ffd0626c89a2327 1080 Block 0000 [ 2]: 4af1440fff212980 1081 Block 0000 [ 3]: 1e77299c7408505b 1082 ... 1083 Block 0031 [124]: e4274fd675d1e1d6 1084 Block 0031 [125]: 903fffb7c4a14c98 1085 Block 0031 [126]: 7e5db55def471966 1086 Block 0031 [127]: 421b3c6e9555b79d 1088 After pass 2: 1089 Block 0000 [ 0]: af2a8bd8482c2f11 1090 Block 0000 [ 1]: 785442294fa55e6d 1091 Block 0000 [ 2]: 9256a768529a7f96 1092 Block 0000 [ 3]: 25a1c1f5bb953766 1093 ... 1094 Block 0031 [124]: 68cf72fccc7112b9 1095 Block 0031 [125]: 91e8c6f8bb0ad70d 1096 Block 0031 [126]: 4f59c8bd65cbb765 1097 Block 0031 [127]: 71e436f035f30ed0 1098 Tag: c8 14 d9 d1 dc 7f 37 aa 1099 13 f0 d7 7f 24 94 bd a1 1100 c8 de 6b 01 6d d3 88 d2 1101 99 52 a4 c4 67 2b 6c e8 1103 6.3. Argon2id Test Vectors 1105 ======================================= 1106 Argon2id version number 19 1107 ======================================= 1108 Memory: 32 KiB, Iterations: 3, 1109 Parallelism: 4 lanes, Tag length: 32 bytes 1110 Password[32]: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 1111 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 1112 Salt[16]: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 1113 Secret[8]: 03 03 03 03 03 03 03 03 1114 Associated data[12]: 04 04 04 04 04 04 04 04 04 04 04 04 1115 Pre-hashing digest: 28 89 de 48 7e b4 2a e5 00 c0 00 7e d9 25 2f 1116 10 69 ea de c4 0d 57 65 b4 85 de 6d c2 43 7a 67 b8 54 6a 2f 0a 1117 cc 1a 08 82 db 8f cf 74 71 4b 47 2e 94 df 42 1a 5d a1 11 2f fa 1118 11 43 43 70 a1 e9 97 1120 After pass 0: 1121 Block 0000 [ 0]: 6b2e09f10671bd43 1122 Block 0000 [ 1]: f69f5c27918a21be 1123 Block 0000 [ 2]: dea7810ea41290e1 1124 Block 0000 [ 3]: 6787f7171870f893 1125 ... 1126 Block 0031 [124]: 377fa81666dc7f2b 1127 Block 0031 [125]: 50e586398a9c39c8 1128 Block 0031 [126]: 6f732732a550924a 1129 Block 0031 [127]: 81f88b28683ea8e5 1131 After pass 1: 1132 Block 0000 [ 0]: 3653ec9d01583df9 1133 Block 0000 [ 1]: 69ef53a72d1e1fd3 1134 Block 0000 [ 2]: 35635631744ab54f 1135 Block 0000 [ 3]: 599512e96a37ab6e 1136 ... 1137 Block 0031 [124]: 4d4b435cea35caa6 1138 Block 0031 [125]: c582210d99ad1359 1139 Block 0031 [126]: d087971b36fd6d77 1140 Block 0031 [127]: a55222a93754c692 1142 After pass 2: 1143 Block 0000 [ 0]: 942363968ce597a4 1144 Block 0000 [ 1]: a22448c0bdad5760 1145 Block 0000 [ 2]: a5f80662b6fa8748 1146 Block 0000 [ 3]: a0f9b9ce392f719f 1147 ... 1148 Block 0031 [124]: d723359b485f509b 1149 Block 0031 [125]: cb78824f42375111 1150 Block 0031 [126]: 35bc8cc6e83b1875 1151 Block 0031 [127]: 0b012846a40f346a 1152 Tag: 0d 64 0d f5 8d 78 76 6c 08 c0 37 a3 4a 8b 53 c9 d0 1153 1e f0 45 2d 75 b6 5e b5 25 20 e9 6b 01 e6 59 1155 7. Acknowledgements 1157 We thank greatly the following authors who helped a lot in preparing 1158 and reviewing this document: Jean-Philippe Aumasson, Samuel Neves, 1159 Joel Alwen, Jeremiah Blocki, Bill Cox, Arnold Reinhold, Solar 1160 Designer, Russ Housley, Stanislav Smyshlyaev, Kenny Paterson, Alexey 1161 Melnikov. 1163 8. IANA Considerations 1165 None. 1167 9. Security Considerations 1169 9.1. Security as hash function and KDF 1171 The collision and preimage resistance levels of Argon2 are equivalent 1172 to those of the underlying BLAKE2b hash function. To produce a 1173 collision, 2^(256) inputs are needed. To find a preimage, 2^(512) 1174 inputs must be tried. 1176 The KDF security is determined by the key length and the size of the 1177 internal state of hash function H'. To distinguish the output of 1178 keyed Argon2 from random, minimum of (2^(128),2^length(K)) calls to 1179 BLAKE2b are needed. 1181 9.2. Security against time-space tradeoff attacks 1183 Time-space tradeoffs allow computing a memory-hard function storing 1184 fewer memory blocks at the cost of more calls to the internal 1185 comression function. The advantage of tradeoff attacks is measured 1186 in the reduction factor to the time-area product, where memory and 1187 extra compression function cores contribute to the area, and time is 1188 increased to accomodate the recomputation of missed blocks. A high 1189 reduction factor may potentially speed up preimage search. 1191 The best attacks on the 1-pass and 2-pass Argon2i is the low-storage 1192 attack described in [CBS16], which reduces the time-area product 1193 (using the peak memory value) by the factor of 5. The best attack on 1194 3-pass and more Argon2i is [AB16] with reduction factor being a 1195 function of memory size and the number of passes. For 1 gibibyte of 1196 memory: 3 for 3 passes, 2.5 for 4 passes, 2 for 6 passes. The 1197 reduction factor grows by about 0.5 with every doubling the memory 1198 size. To completely prevent time-space tradeoffs from [AB16], the 1199 number of passes MUST exceed binary logarithm of memory minus 26. 1200 Asymptotically, the best attack on 1-pass Argon2i is given in [BZ17] 1201 with maximal advantage of the adversary upper bounded by O(m^(0.233)) 1202 where m is the number of blocks. This attack is also asymptotically 1203 optimal as [BZ17] also prove the upper bound on any attack of 1204 O(m^(0.25)). 1206 The best tradeoff attack on t-pass Argon2d is the ranking tradeoff 1207 attack, which reduces the time-area product by the factor of 1.33. 1209 The best attack on Argon2id can be obtained by complementing the best 1210 attack on the 1-pass Argon2i with the best attack on a multi-pass 1211 Argon2d. Thus the best tradeoff attack on 1-pass Argon2id is the 1212 combined low-storage attack (for the first half of the memory) and 1213 the ranking attack (for the second half), which bring together the 1214 factor of about 2.1. The best tradeoff attack on t-pass Argon2id is 1215 the ranking tradeoff attack, which reduces the time-area product by 1216 the factor of 1.33. 1218 9.3. Security for time-bounded defenders 1220 A bottleneck in a system employing the password-hashing function is 1221 often the function latency rather than memory costs. A rational 1222 defender would then maximize the bruteforce costs for the attacker 1223 equipped with a list of hashes, salts, and timing information, for 1224 fixed computing time on the defender's machine. The attack cost 1225 estimates from [AB16] imply that for Argon2i, 3 passes is almost 1226 optimal for the most of reasonable memory sizes, and that for Argon2d 1227 and Argon2id, 1 pass maximizes the attack costs for the constant 1228 defender time. 1230 9.4. Recommendations 1232 The Argon2id variant with t=1 and maximum available memory is 1233 recommended as a default setting for all environments. This setting 1234 is secure against side-channel attacks and maximizes adversarial 1235 costs on dedicated bruteforce hardware. 1237 10. References 1239 10.1. Normative References 1241 [BLAKE2] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 1242 Cryptographic Hash and Message Authentication Code (MAC)", 1243 RFC 7693, November 2015, 1244 . 1246 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1247 Requirement Levels", RFC 2119, March 1997, 1248 . 1250 10.2. Informative References 1252 [AB15] Biryukov, A. and D. Khovratovich, "Tradeoff Cryptanalysis 1253 of Memory-Hard Functions", Asiacrypt 2015, December 2015, 1254 . 1256 [AB16] Alwen, J. and J. Blocki, "Efficiently Computing Data- 1257 Independent Memory-Hard Functions", Crypto 2016, December 1258 2015, . 1260 [ARGON2] Biryukov, A., Dinu, D., and D. Khovratovich, "Argon2: the 1261 memory-hard function for password hashing and other 1262 applications", WWW www.cryptolux.org, October 2015, 1263 . 1265 [ARGON2ESP] 1266 Biryukov, A., Dinu, D., and D. Khovratovich, "Argon2: New 1267 Generation of Memory-Hard Functions for Password Hashing 1268 and Other Applications", Euro SnP 2016, March 2016, 1269 . 1271 [BZ17] Blocki, J. and S. Zhou, "On the Depth-Robustness and 1272 Cumulative Pebbling Cost of Argon2i", TCC 2017, May 2017, 1273 . 1275 [CBS16] Corrigan-Gibbs, H., Boneh, D., and S. Schechter, "Balloon 1276 Hashing: Provably Space-Hard Hash Functions with Data- 1277 Independent Access Patterns", Asiacrypt 2016, January 1278 2016, . 1280 [HARD] Alwen, J. and V. Serbinenko, "High Parallel Complexity 1281 Graphs and Memory-Hard Functions", STOC 2015, 2014, 1282 . 1284 Authors' Addresses 1286 Alex Biryukov 1287 University of Luxembourg 1289 Email: alex.biryukov@uni.lu 1291 Daniel Dinu 1292 University of Luxembourg 1294 Email: dumitru-daniel.dinu@uni.lu 1295 Dmitry Khovratovich 1296 ABDK Consulting 1298 Email: khovratovich@gmail.com 1300 Simon Josefsson 1301 SJD AB 1303 Email: simon@josefsson.org 1304 URI: http://josefsson.org/