# Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks

@inproceedings{Boneh2016BalloonHA, title={Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks}, author={Dan Boneh and Henry Corrigan-Gibbs and Stuart E. Schechter}, booktitle={ASIACRYPT}, year={2016} }

We present the Balloon password-hashing algorithm. This is the first practical cryptographic hash function that: (i) has proven memory-hardness properties in the random-oracle model, (ii) uses a password-independent access pattern, and (iii) meets—and often exceeds—the performance of the best heuristically secure password-hashing algorithms. Memory-hard functions require a large amount of working space to evaluate efficiently and, when used for password hashing, they dramatically increase the…

## 58 Citations

Towards Quantum Large-Scale Password Guessing on Real-World Distributions

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

This work studies quantum large-scale password guessing attacks for the first time and gains a square-root speedup in the quantum setting when attacking a constant fraction of all passwords, even considering strongly biased password distributions as they appear in real-world password breaches.

Memory hard functions and persistent memory hardness

- Computer Science
- 2022

This survey looks at two MHF constructions and their upper and lower bounds under different metrics of space and time complexity.

Data-Independent Memory Hard Functions: New Attacks and Stronger Constructions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

This work constructs a new iMHF with a strong sustained space-complexity guarantee and empirically demonstrates that the construction is asymptotically optimal under every MHF criteria, and empirical analysis reverses the prior conclusion that DRSample provides stronger resistance to known pebbling attacks.

On the Memory-Hardness of Data-Independent Password-Hashing Functions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

This work captures the evaluation of an iMHF as a directed acyclic graph (DAG) and investigates a combinatorial property of each underlying DAG, called its depth-robustness, which is a measure for the hardware cost of evaluating the iM HF on an ASIC.

Memory-Hard Functions from Cryptographic Primitives

- Computer Science, MathematicsCRYPTO
- 2019

Memory-hard functions are used e.g. for password protection, password-based key-derivation, and within cryptocurrencies, and have received a considerable amount of theoretical scrutiny over the last few years.

Ju l 2 01 8 RiffleScrambler – a memory-hard password storing function ∗ †

- Computer Science
- 2018

RiffleScrambler is a new family of directed acyclic graphs and a corresponding data-independent memory hard function with password independent memory access and its memory hardness is proved in the random oracle model.

Password-Hashing Status

- Computer ScienceCryptogr.
- 2017

This paper provides a review of password-hashing schemes until the first quarter of 2017 and a relevant performance evaluation analysis on a common setting in terms of code size, memory consumption, and execution time.

Bandwidth Hard Functions for ASIC Resistance

- Computer ScienceTCC
- 2017

A model for hardware energy cost that has sound foundations in practice is proposed and scrypt, Catena-BRG and Balloon are bandwidth hard with suitable parameters and a capacity hard function is not necessarily bandwidth hard, with a stacked double butterfly graph being a counterexample.

Bandwidth-Hard Functions from Random Permutations

- Computer Science, Mathematics
- 2022

This work shows how random oracles can be instantiated using random permutations in the context of bandwidth-hard functions, and results are generic and valid for any hard-to-pebble graphs.

Computationally Data-Independent Memory Hard Functions

- Computer Science, MathematicsITCS
- 2020

The notion of computationally data-independent memory hard functions (ciMHFs) is introduced and it is answered in the affirmative when the ciMHF evaluation algorithm is executed on a two-tiered memory architecture (RAM/Cache).

## References

SHOWING 1-10 OF 103 REFERENCES

Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015

This work develops a simple and cryptographically secure approach to the design of memory-hard functions and shows how to exploit the architecture of modern CPUs and memory chips to make faster and more secure schemes compared to existing alternatives such as scrypt.

Memory-Demanding Password Scrambling

- Computer ScienceASIACRYPT
- 2014

This paper mounts a cache-timing attack on scrypt by exploiting its password-dependent memory-access pattern and presents a novel password scrambler called Catena which provides both a password-independent memory- access pattern and resistance against garbage-collector attacks.

Lyra: password-based key derivation with tunable memory and processing costs

- Computer ScienceJournal of Cryptographic Engineering
- 2013

If the authors fix Lyra ’s total processing time $$t$$t in a legitimate platform, the cost of a memory-free attack against the algorithm is exponential, while the best-known result in the literature (namely, against the scrypt algorithm) is quadratic.

Useful password hashing: how to waste computing cycles with style

- Computer Science, MathematicsNSPW '13
- 2013

This work proposes a conceptually new method to construct password hashes called "useful" password hashes (UPHs), that do not simply waste computing cycles as other constructions do, but use those cycles to solve other computational problems at the same time, while still being a secure password hash.

Perfectly Secure Password Protocols in the Bounded Retrieval Model

- Computer Science, MathematicsTCC
- 2006

This model studies the problem of constructing efficient password protocols that remain secure against offline dictionary attacks even when a large (but bounded) part of the storage of the server responsible for password verification is retrieved by an intruder through a remote or local connection.

Mitigating Dictionary Attacks on Password-Protected Local Storage

- Computer Science, MathematicsCRYPTO
- 2006

This work proposes an approach for limiting off-line dictionary attacks in this setting without relying on secret storage or secure hardware, and describes a simple protocol using this approach, which raises a host of modeling and technical issues, such as new properties of human-solvable puzzles and some seemingly hard combinatorial problems.

One-Time Computable Self-erasing Functions

- Computer Science, MathematicsTCC
- 2011

A new cryptographic notion is introduced that is a one-time computable pseudorandom function (PRF) that can be evaluated on at most one input, even by an adversary who controls the device storing the key K, and it is shown that this tool can be used to improve the communication complexity of proofs-of-erasure schemes.

STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS

- Computer Science, Mathematics
- 2009

A family of key derivation functions are presented which, under the random oracle model of cryptographic hash functions, are provably sequential memory-hard, and a variation which appears to be marginally stronger at the expense of lacking provable strength.

Merkle-Damgård Revisited: How to Construct a Hash Function

- Computer Science, MathematicsCRYPTO
- 2005

It is shown that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgard transformation — does not satisfy a new security notion for hash-functions, stronger than collision-resistance.

Tradeoff Cryptanalysis of Memory-Hard Functions

- Computer ScienceASIACRYPT
- 2015

It is shown that using $$M^{4/5}$$ memory instead of M the authors have no time penalties and reduce the AT cost by the factor of 25, and a novel ranking tradeoff is developed and applied to yescrypt and Lyra2.