Balloon hashing explained

Balloon hashing is a key derivation function presenting proven memory-hard password-hashing and modern design. It was created by Dan Boneh, Henry Corrigan-Gibbs (both at Stanford University) and Stuart Schechter (Microsoft Research) in 2016.^{[1] [2]} It is a recommended function in NIST password guidelines.^[3]

The authors claim that Balloon:

• has proven memory-hardness properties,
• is built from standard primitives: it can use any standards non-space-hard cryptographic hash function as a sub-algorithm (e.g., SHA-3, SHA-512),
• is resistant to side-channel attacks: the memory access pattern is independent of the data to be hashed,
• is easy to implement and matches the performance of similar algorithms.

Balloon is compared by its authors with Argon2, a similarly performing algorithm.^[1]

Algorithm

There are three steps in the algorithm:^[1]

1. Expansion, where an initial buffer is filled with a pseudorandom byte sequence derived from the password and salt repeatedly hashed.
2. Mixing, where the bytes in the buffer are mixed time_cost number of times.
3. Output, where a portion of the buffer is taken as the hashing result.

External links

• Research prototype code on Github
• Python implementation
• Rust implementation
• Efficiently Computing Data-Independent Memory-Hard Functions . Alwen. Blocki . ePrint . 2016 . 2016 . 115.
• Towards Practical Attacks on Argon2i and Balloon Hashing . Alwen . Blocki . ePrint . 2016 . 2016 . 759.

Notes and References

1. Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks . ePrint . 2016 . 27 . 2016-01-11 . 2019-09-03 . Boneh . Dan . Corrigan-Gibbs . Henry . Schechter . Stuart.
2. Web site: Balloon Hashing . Stanford Applied Crypto Group . Stanford University . 2019-09-03.
3. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf NIST SP800-63B Section 5.1.1.2