---
_id: '1176'
abstract:
- lang: eng
  text: The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being
    considered by the IRTF (Internet Research Task Force) as a new de-facto standard
    for password hashing. An older version (Argon2i-A) of the same algorithm was chosen
    as the winner of the recent Password Hashing Competition. An important competitor
    to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs,
    Boneh and Schechter. A key security desiderata for any such algorithm is that
    evaluating it (even using a custom device) requires a large amount of memory amortized
    across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of
    theoretical attacks against Argon2i-A and BH. While these attacks yield large
    asymptotic reductions in the amount of memory, it was not, a priori, clear if
    (1) they can be extended to the newer Argon2i-B, (2) the attacks are effective
    on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3)
    if they can be effectively instantiated against any algorithm under realistic
    hardware constrains. In this work we answer all three of these questions in the
    affirmative for all three algorithms. This is also the first work to analyze the
    security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen
    and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe
    asymptotic deficiencies in its security. Next we introduce several novel heuristics
    for improving the attack's concrete memory efficiency even when on-chip memory
    bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A,
    Argon2i-B and BH instances and measure the resulting memory consumption for various
    practical parameter ranges and for a variety of upperbounds on the amount of parallelism
    available to the attacker. Finally we describe, implement, and test a new heuristic
    for applying the Alwen-Blocki attack to functions employing a technique developed
    by Corrigan-Gibs et al. for improving concrete security of memory-hard functions.
    We analyze the collected data and show the effects various parameters have on
    the memory consumption of the attack. In particular, we can draw several interesting
    conclusions about the level of security provided by these functions. · For the
    Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must
    be instantiated with more than 10 passes on memory - beyond the "paranoid" parameter
    setting in the current IRTF proposal. · The technique of Corrigan-Gibs for improving
    security can also be overcome by the Alwen-Blocki attack under realistic hardware
    constraints. · On a positive note, both the asymptotic and concrete security of
    Argon2i-B seem to improve on that of Argon2i-A.
article_number: '7961977'
article_processing_charge: No
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Jeremiah
  full_name: Blocki, Jeremiah
  last_name: Blocki
citation:
  ama: 'Alwen JF, Blocki J. Towards practical attacks on Argon2i and balloon hashing.
    In: IEEE; 2017. doi:<a href="https://doi.org/10.1109/EuroSP.2017.47">10.1109/EuroSP.2017.47</a>'
  apa: 'Alwen, J. F., &#38; Blocki, J. (2017). Towards practical attacks on Argon2i
    and balloon hashing. Presented at the EuroS&#38;P: European Symposium on Security
    and Privacy, Paris, France: IEEE. <a href="https://doi.org/10.1109/EuroSP.2017.47">https://doi.org/10.1109/EuroSP.2017.47</a>'
  chicago: Alwen, Joel F, and Jeremiah Blocki. “Towards Practical Attacks on Argon2i
    and Balloon Hashing.” IEEE, 2017. <a href="https://doi.org/10.1109/EuroSP.2017.47">https://doi.org/10.1109/EuroSP.2017.47</a>.
  ieee: 'J. F. Alwen and J. Blocki, “Towards practical attacks on Argon2i and balloon
    hashing,” presented at the EuroS&#38;P: European Symposium on Security and Privacy,
    Paris, France, 2017.'
  ista: 'Alwen JF, Blocki J. 2017. Towards practical attacks on Argon2i and balloon
    hashing. EuroS&#38;P: European Symposium on Security and Privacy, 7961977.'
  mla: Alwen, Joel F., and Jeremiah Blocki. <i>Towards Practical Attacks on Argon2i
    and Balloon Hashing</i>. 7961977, IEEE, 2017, doi:<a href="https://doi.org/10.1109/EuroSP.2017.47">10.1109/EuroSP.2017.47</a>.
  short: J.F. Alwen, J. Blocki, in:, IEEE, 2017.
conference:
  end_date: 2017-04-28
  location: Paris, France
  name: 'EuroS&P: European Symposium on Security and Privacy'
  start_date: 2017-04-26
date_created: 2018-12-11T11:50:33Z
date_published: 2017-07-03T00:00:00Z
date_updated: 2023-09-20T11:22:25Z
day: '03'
department:
- _id: KrPi
doi: 10.1109/EuroSP.2017.47
external_id:
  isi:
  - '000424197300011'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/759
month: '07'
oa: 1
oa_version: Submitted Version
publication_identifier:
  isbn:
  - 978-150905761-0
publication_status: published
publisher: IEEE
publist_id: '6178'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Towards practical attacks on Argon2i and balloon hashing
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2017'
...