Balloon hashing

Balloon hashing is a key derivation function presenting proven memory-hard password-hashing and modern design. It was created by Dan Boneh and Henry Corrigan-Gibbs (Stanford University) and Stuart Schechter (Microsoft Research) in 2016.^[1]^[2] It is a recommended function in NIST password guidelines.

The authors claim that Balloon:

has proven memory-hardness properties,
is built from standard primitives: it can use any standards non-space-hard cryptographic hash function as a sub-algorithm (SHA-3, SHA-512, …),
is resistant to side-channel attacks: the memory access pattern is independent of the data to be hashed,
is easy to implement and matches the performance of similar algorithms.

It is compared with Argon2, a similarly performing algorithm.

Algorithm

The first step is expansion, where an initial buffer is filled with a pseudorandom byte sequence derived from the password and salt repeatedly hashed.

In the second step mixing is performed, where the bytes in the buffer are mixed time_cost number of times.

In the third step the system outputs the buffer as the hashing result.

References

^ Boneh, Dan; Corrigan-Gibbs, Henry; Schechter, Stuart (2016-01-11). "Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks". ePrint. 2016 (027). Retrieved 2019-09-03.
^ "Balloon Hashing". Stanford Applied Crypto Group. Stanford. Retrieved 2019-09-03.

External links

research prototype code on Github
Python implementation
Alwen; Blocki. "Efficiently Computing Data-Independent Memory-Hard Functions". ePrint. 2016 (115).
Alwen; Blocki. "Towards Practical Attacks on Argon2i and Balloon Hashing". ePrint. 2016 (759).

[eprint-1] Boneh, Dan; Corrigan-Gibbs, Henry; Schechter, Stuart (2016-01-11). "Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks". ePrint. 2016 (027). Retrieved 2019-09-03.

[stanford-2] "Balloon Hashing". Stanford Applied Crypto Group. Stanford. Retrieved 2019-09-03.

[1]

[2]