We present the Balloon algorithm for password hashing. This is the first cryptographic hash function that: (i) has proven memoryhardness properties in the random-oracle model, (ii) uses a passwordindependent access pattern, and (iii) meets—and often exceeds—the performance of the best heuristically secure password-hashing algorithms. Memory-hard functions require a large amount of working space to evaluate efficiently and, when used for password hashing, they dramatically increase the cost of offline dictionary attacks. In this work, we leverage a previously unstudied property of a certain class of graphs (“random sandwich graphs”) to analyze the memory-hardness of the Balloon algorithm. The techniques we develop are general: we also use them to give a proof of security of the scrypt and Argon2i password-hashing functions, in the random-oracle model. To motivate the need for security proofs in the area, we demonstrate a practical attack against Argon2i that successfully evaluates the function with less space than was previously claimed possible. Finally, we discuss recent important work on parallel attacks against memory-hard functions with password-independent access patterns, and we propose a defense against them. We experiment with the Balloon hashing algorithm and report on its performance relative to other claimed memory-hard functions.