Password Hashing Competition

Password hashing is everywhere, from web services' credentials storage to mobile and desktop authentication or disk encryption systems. Yet there wasn't an established standard to fulfill the needs of modern applications and to best protect against attackers. We started the Password Hashing Competition (PHC) to solve this problem.

PHC ran from 2013 to 2015 as an open competition—the same kind of process as NIST's AES and SHA-3 competitions, and the most effective way to develop a crypto standard. We received 24 candidates, including many excellent designs, and selected one winner, Argon2, an algorithm designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.

We recommend that you use Argon2 rather than legacy algorithms. You'll find the specifications and reference code just below.

Argon2

GitHub repo containing the specs and code (latest release)
Specifications PDF, including rationale and analysis

The reference code is C89-compliant C, licensed under CC0, a.k.a. public domain. It should compile on x86 and x86_64 architectures, as well as most ARM architectures (except for the code optimized for x86 and x86_64). It should compile on Linux, OS X, and Windows OS', as well as MinGW environments.

There are two main versions of Argon2, Argon2i and Argon2d. Argon2i is the safest against side-channel attacks, while Argon2d provides the highest resistance against GPU cracking attacks.

Argon2i and Argon2d are parametrized by

A time cost, which defines the execution time
A memory cost, which defines the memory usage
A parallelism degree, which defines the number of threads

See the README for detailed instructions. You can try Argon2 online on argon2.online.

Bindings are available for most languages.

PHC

The Password Hashing Competition (PHC) was initiated by Jean-Philippe Aumasson in fall 2012, and organized thanks to a panel joined by Tony Arcieri (@bascule, Square) Dmitry Chestnykh (@dchest, Coding Robots), Jeremi Gosney (@jmgosney, Stricture Consulting Group), Russell Graves (@bitweasil, Cryptohaze), Matthew Green (@matthew_d_green, Johns Hopkins University), Peter Gutmann (University of Auckland), Pascal Junod (@cryptopathe, HEIG-VD), Poul-Henning Kamp (FreeBSD), Stefan Lucks (Bauhaus-Universität Weimar), Samuel Neves (@sevenps, University of Coimbra), Colin Percival (@cperciva, Tarsnap), Alexander Peslyak (@solardiz, Openwall), Marsh Ray (@marshray, Microsoft), Jens Steube (@hashcat, Hashcat project), Steve Thomas (@Sc00bzT, TobTu), Meltem Sonmez Turan (NIST), Zooko Wilcox-O'Hearn (@zooko, Least Authority Enterprises), Christian Winnerlein (@codesinchaos, Pactas), Elias Yarrkov (@yarrkov).

In Q1 2013 we published the call for submissions, and by the deadline on March 31, 2014 we had received 24 submissions. In December 2014 we shortlisted 9 finalists and published a short report. In July 2015 we announced Argon2 as a winner and gave special recognition to four of the finalists:

Catena, for its agile framework approach and side-channel resistance (Catena-v5.tar.gz)
Lyra2, for its elegant sponge-based design, and alternative approach to side-channel resistance (Lyra2-v3.tar.gz)
Makwa, for its unique delegation feature and its factoring-based security (Makwa-v1.tar.gz)
yescrypt, for its rich feature set and easy upgrade path from scrypt (yescrypt-v2.tar.gz)

Contact

Questions about Argon2 or PHC can be addressed to the public mailing list [email protected] (you need to register first by sending an empty message to [email protected]). Public archives of this mailing list are available thanks to Gmane.

Issues with the Argon2 code should preferably be reported in the GitHub issues space. For private contact related to Argon2, please email [email protected]. For any other issue, please email [email protected].