Balloon Hash Logo

Balloon Hashing

A memory-hard function providing provable protection against sequential attacks.




The Balloon function is a new memory-hard password-hashing function that exhibits a number of desirable properties. The Balloon function:
  • Has Proven Memory-Hardness Properties. The Balloon hash function is moderately hard to compute with N bits of space but is prohibitively expensive to compute with much less space than that (e.g., N/8 bits). In contrast to many existing constructions, we support our space-hardness claims with an analysis in the random-oracle model.
  • Is Built from Standard Primitives. The Balloon hash algorithm is a "mode of operation" for a standard non-space-hard cryptographic hash function. As such, it can use any standard cryptographic hash function (SHA-3, SHA-512, etc.) as a subroutine.
  • Is Resistant to Cache Attacks. The memory access pattern of the Balloon hash function is independent of the password being hashed. Thus, an adversary who can observe the memory access patterns of a Balloon computation, e.g. via cache side-channels on a multi-user system, learns no information about the password being hashed.
  • Is Practical. The Balloon hash function is easy to implement and matches the performance of the best practical password-hashing algorithms.


  • Research Paper. A working draft of the Balloon Hashing paper is online here: IACR ePrint 2016/027.
  • Research prototype code. Available on GitHub. Warning: this code is NOT safe for production use! Use it only for performance tests.

Mailing List

Subscribe to to get announcements about Balloon Hashing. The mailing list is also the best way to contact us about the project.