This articlerelies excessively onreferences toprimary sources. Please improve this article by addingsecondary or tertiary sources. Find sources: "Argon2" – news ·newspapers ·books ·scholar ·JSTOR(January 2016) (Learn how and when to remove this message)

Argon2 is akey derivation function that was selected as the winner of the 2015Password Hashing Competition.^[1][2] It was designed byAlex Biryukov, Daniel Dinu, andDmitry Khovratovich from theUniversity of Luxembourg.^[3] The reference implementation of Argon2 is released under aCreative Commons CC0 license (i.e.public domain) or theApache License 2.0.

The Argon2 function uses a large, fixed-size memory region (often called the 'memory array' in documentation) to make brute-force attacks computationally expensive. The three variants differ in how they access this memory:

• Argon2d maximizes resistance to GPUcracking attacks. It accesses the memory array in a password-dependent order, which reduces the possibility oftime–memory trade-off (TMTO) attacks, but introduces possibleside-channel attacks.
• Argon2i is optimized to resist side-channel attacks. It accesses the memory array in a password-independent order.
• Argon2id is a hybrid version. It follows the Argon2i approach for the first half pass over memory and the Argon2d approach for subsequent passes.RFC 9106 recommends using Argon2id if one does not know the difference between the types or if side-channel attacks are considered to be a viable threat.^[4]

All three modes allow specification by three parameters that control:

• execution time
• memory required
• degree of parallelism

While there is no publiccryptanalysis applicable to Argon2d, there are two published attacks on the Argon2i function. The first attack is applicable only to the old version of Argon2i, while the second has been extended to the latest version (1.3).^[5]

The first attack shows that it is possible to compute a single-pass Argon2i function using between a quarter and a fifth of the desired space with no time penalty, and compute a multiple-pass Argon2i using onlyN/e (≈N/2.72) space with no time penalty.^[6] According to the Argon2 authors, this attack vector was fixed in version 1.3.^[7]

The second attack shows that Argon2i can be computed by an algorithm which has complexity O(n^7/4 log(n)) for all choices of parametersσ (space cost),τ (time cost), and thread-count such thatn=σ∗τ.^[8] The Argon2 authors claim that this attack is not efficient if Argon2i is used with three or more passes.^[7] However, Joël Alwen and Jeremiah Blocki improved the attack and showed that in order for the attack to fail, Argon2i v1.3 needs more than 10 passes over memory.^[5]

To address these concerns, RFC9106 recommends using Argon2id to largely mitigate such attacks.^[9]

Source:^[4]

Function Argon2Inputs:      password (P):       Bytes (0..232-1)Password (or message) to be hashed      salt (S):           Bytes (8..232-1)Salt (16 bytes recommended for password hashing)      parallelism (p):    Number (1..224-1)Degree of parallelism (i.e. number of threads)      tagLength (T):      Number (4..232-1)Desired number of returned bytes      memorySizeKB (m):   Number (8p..232-1)Amount of memory (inkibibytes) to use      iterations (t):     Number (1..232-1)Number of iterations to perform      version (v):        Number (0x13)The current version is 0x13 (19 decimal)      key (K):            Bytes (0..232-1)Optional key (Errata: PDF says 0..32 bytes, RFC says 0..232 bytes)      associatedData (X): Bytes (0..232-1)Optional arbitrary extra data      hashType (y):       Number (0=Argon2d, 1=Argon2i, 2=Argon2id)Output:      tag:                Bytes (tagLength)The resulting generated bytes, tagLength bytes longGenerate initial 64-byte block H0.    All the input parameters are concatenated and input as a source of additional entropy.    Errata: RFC says H0 is 64-bits; PDF says H0 is 64-bytes.    Errata: RFC says the Hash is H^, the PDF says it's ℋ (but doesn't document what ℋ is). It's actually Blake2b.    Variable length items are prepended with their length as 32-bit little-endian integers.   buffer ← parallelism ∥ tagLength ∥ memorySizeKB ∥ iterations ∥ version ∥ hashType         ∥ Length(password)       ∥ Password         ∥ Length(salt)           ∥ salt         ∥ Length(key)            ∥ key         ∥ Length(associatedData) ∥ associatedData   H0 ← Blake2b(buffer, 64)//default hash size of Blake2b is 64-bytesCalculate number of 1 KB blocks by rounding down memorySizeKB to the nearest multiple of 4*parallelismkibibytes   blockCount ← Floor(memorySizeKB, 4*parallelism)Allocate two-dimensional array of 1 KiB blocks (parallelism rows x columnCount columns)   columnCount ← blockCount / parallelism;//In the RFC, columnCount is referred to asqCompute the first and second block (i.e. column zero and one) of each lane (i.e. row)for i ← 0to parallelism-1dofor each row      Bi[0] ← Hash(H0 ∥ 0 ∥ i, 1024)//Generate a 1024-byte digest      Bi[1] ← Hash(H0 ∥ 1 ∥ i, 1024)//Generate a 1024-byte digestCompute remaining columns of each lanefor i ← 0to parallelism-1do//for each rowfor j ← 2to columnCount-1do//for each subsequent column//i' and j' indexes depend if it's Argon2i, Argon2d, or Argon2id (See section 3.4)         i′, j′ ← GetBlockIndexes(i, j)//the GetBlockIndexes function is not defined         Bi[j] = G(Bi[j-1], Bi′[j′])//the G hash function is not definedFurther passes when iterations > 1for nIteration ← 2to iterationsdofor i ← 0to parallelism-1dofor each rowfor j ← 0to columnCount-1do//for each subsequent column//i' and j' indexes depend if it's Argon2i, Argon2d, or Argon2id (See section 3.4)           i′, j′ ← GetBlockIndexes(i, j)if j == 0then              Bi[0] = Bi[0] xor G(Bi[columnCount-1], Bi′[j′])else             Bi[j] = Bi[j] xor G(Bi[j-1], Bi′[j′])Compute final blockC as the XOR of the last column of each row   C ← B0[columnCount-1]for i ← 1to parallelism-1do      C ← Cxor Bi[columnCount-1]Compute output tagreturn Hash(C, tagLength)

Argon2 makes use of a hash function capable of producing digests up to 2³² bytes long. This hash function is internally built uponBlake2.

Function Hash(message, digestSize)Inputs:       message:         Bytes (0..232-1)Message to be hashed       digestSize:      Integer (1..232)Desired number of bytes to be returnedOutput:       digest:          Bytes (digestSize)The resulting generated bytes, digestSize bytes longHash is a variable-length hash function, built using Blake2b, capable of generating    digests up to 232 bytes.If the requested digestSize is 64-bytes or lower, then we use Blake2b directlyif (digestSize <= 64)thenreturn Blake2b(digestSize ∥ message, digestSize)// concatenate 32-bit little endian digestSize with the message bytesFor desired hashes over 64-bytes (e.g. 1024 bytes for Argon2 blocks),    we use Blake2b to generate twice the number of needed 64-byte blocks,    and then only use 32-bytes from each blockCalculate the number of whole blocks (knowing we're only going to use 32-bytes from each)    r ← Ceil(digestSize/32)-2;Generate r whole blocks.Initial block is generated from message    V1 ← Blake2b(digestSize ∥ message, 64);Subsequent blocks are generated from previous blocksfor i ← 2to rdo       Vi ← Blake2b(Vi-1, 64)Generate the final (possibly partial) block    partialBytesNeeded ← digestSize – 32*r;    Vr+1 ← Blake2b(Vr, partialBytesNeeded)Concatenate the first 32-bytes of each block Vi    (except the possibly partial last block, which we take the whole thing)Let Ai represent the lower 32-bytes of block Vireturn A1 ∥ A2 ∥ ... ∥ Ar ∥ Vr+1

TheRequest for Comments document standardizing Argon2, which was published in September 2021, recommends:

• Memory: 2 GiB, Iterations: 1, Parallelism: 4; for "a default setting for all environments"^[10]
• Memory: 64 MiB, Iterations: 3, Parallelism: 4; for "memory-constrained environments"^[10]

• Argon2 source code repository on Github
• Argon2 specification
• Password Hashing Competition
• Uni.Lu Argon2 Page
• Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks
• RFC 9106 Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications

• Cryptographic hash functions
• Key derivation functions
• 2015 in computing

• Webarchive template wayback links
• Articles with short description
• Short description is different from Wikidata
• Articles lacking reliable references from January 2016
• All articles lacking reliable references