The Balloon function is a new memory-hard password-hashing function
that exhibits a number of desirable properties. The Balloon function:
- Has Proven Memory-Hardness Properties.
The Balloon hash function is moderately hard to compute with N bits
of space but is prohibitively expensive to compute with much less space than that (e.g., N/8
bits). In contrast to many existing constructions,
we support our space-hardness claims with an analysis in the random-oracle model.
- Is Built from Standard Primitives.
The Balloon hash algorithm is a "mode of operation" for a
standard non-space-hard cryptographic hash function.
As such, it can use any standard cryptographic hash function
(SHA-3, SHA-512, etc.) as a subroutine.
- Is Resistant to Cache Attacks.
The memory access pattern of the Balloon hash function is independent
of the password being hashed. Thus, an adversary who can observe the memory
access patterns of a Balloon computation, e.g. via cache side-channels
on a multi-user system, learns no information about the password being hashed.
- Is Practical.
The Balloon hash function is easy to implement and matches the performance
of the best practical password-hashing algorithms.
- Research Paper.
A working draft of the Balloon Hashing paper is online here: IACR ePrint 2016/027.
- Research prototype code. Available on GitHub.
Warning: this code is NOT safe for production use! Use it only
for performance tests.
Subscribe to firstname.lastname@example.org
get announcements about Balloon Hashing.
The mailing list is also the best way to contact us about the project.