What is Argon2 used for?

Argon2 is primarily used for secure password hashing and key derivation. It protects sensitive data from brute-force and side-channel attacks by making computation memory-intensive.

What are the different variants of Argon2?

Argon2 has three variants: Argon2d (for GPU attack resistance), Argon2i (for side-channel attack resistance), and Argon2id (a hybrid recommended for general use, balancing both types of resistance).

Is Argon2 free to use?

Yes, Argon2 is an open-source algorithm and is free to use and implement in any application.

How does Argon2 compare to bcrypt or scrypt?

Argon2 is generally considered more resistant to modern cracking techniques, especially those using GPUs, due to its explicit memory-hardness design. bcrypt and scrypt are also memory-hard but Argon2 often offers more fine-grained control over parameters and specific attack vector resistance.

In which programming languages can I use Argon2?

Argon2 has implementations and SDKs available for a wide range of programming languages, including C, Python, Go, Java, C#, Ruby, PHP, Rust, and Node.js.

Who developed Argon2?

Argon2 was developed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich, winning the Password Hashing Competition in 2015.

Argon2 — Memory-Hard Key Derivation Function

Q: What are the common tunable parameters in Argon2?

Key tunable parameters include memory cost (amount of RAM), time cost (number of iterations), and parallelism (number of threads), which allow developers to adjust its computational intensity.

Overview

Argon2 is a key derivation function and hashing algorithm formally specified in RFC 9106 by the IETF (IETF Argon2 RFC 9106). It was developed to address the limitations of earlier password hashing schemes, particularly their susceptibility to brute-force attacks using specialized hardware like Graphics Processing Units (GPUs) and Application-Specific Integrated Circuits (ASICs). The algorithm was declared the winner of the international Password Hashing Competition in 2015.

The core innovation behind Argon2 lies in its "memory-hardness" property. This means that executing the algorithm requires a significant amount of memory, making it expensive to parallelize across multiple devices. This design choice directly impedes attackers who rely on massive parallel computation to test many passwords quickly. By requiring substantial memory access, Argon2 slows down even highly optimized GPU-based cracking attempts.

Argon2 is not a single algorithm but a family of three distinct variants, each optimized for different threat models:

Argon2d: Maximizes resistance to GPU cracking attacks. It accesses memory in a data-dependent way, which makes it challenging to implement efficiently on hardware without large caches. However, this data-dependent memory access can potentially open it up to side-channel attacks if not implemented carefully. It is primarily recommended for cryptocurrencies and other applications where the primary concern is preventing brute-force and dictionary attacks.
Argon2i: Optimized to resist side-channel attacks. It accesses memory independently of data, ensuring that the memory access pattern does not reveal information about the password or key being hashed. This makes Argon2i suitable for password hashing and other scenarios where sensitive data might be exposed through timing or power analysis. Its memory access pattern is fixed and pre-determined.
Argon2id: A hybrid version that combines the benefits of both Argon2d and Argon2i. It performs a mixture of data-dependent and data-independent memory accesses. Specifically, it uses Argon2i for the first pass over memory and Argon2d for subsequent passes. This hybrid approach offers a balance between resistance to GPU cracking and protection against side-channel attacks, making it the generally recommended variant for most applications, including password storage.

The algorithm allows for various tunable parameters, including memory cost (amount of RAM used), time cost (number of iterations), and parallelism (number of threads). These parameters enable developers to adjust the computational intensity of the hashing process based on their specific security requirements and available hardware resources. Implementing Argon2 correctly involves careful consideration of these parameters to ensure adequate security without excessively impacting user experience. Due to its robust design and configurable parameters, Argon2 is a strong candidate for securing sensitive data like user passwords in modern applications.

Key features

Memory-Hardness: Designed to require significant memory access, hindering parallel cracking efforts using GPUs and ASICs.
Multiple Variants: Offers Argon2d (GPU attack resistance), Argon2i (side-channel attack resistance), and Argon2id (hybrid, generally recommended) to suit different threat models.
Tunable Parameters: Allows configuration of memory cost, time cost, and parallelism to balance security and performance requirements.
Salt Support: Incorporates a unique salt for each hash operation, preventing pre-computation attacks like rainbow tables.
Key Derivation: Functions as a key derivation function, generating cryptographic keys from passwords or other secret data.
Open-Source: Freely available and open-source, promoting transparency and community review.
Platform Agnostic: Well-defined standard (IETF RFC 9106 for Argon2) with implementations across numerous programming languages.

Pricing

Argon2 is an open-source algorithm and is free to use.

Feature	Cost
Argon2 Algorithm Use	Free
Licensing	Open-source (typically MIT or similar, check specific implementations)

Common integrations

Argon2 is primarily integrated into applications via libraries or SDKs available for various programming languages. While there isn't a direct "integration" in the sense of a third-party service, its adoption involves incorporating its cryptographic functions into an application's backend logic.

C: The reference implementation for Argon2 is written in C. Developers can link against this library directly or use bindings for other languages.
Python: Libraries like argon2-cffi provide Python bindings, allowing developers to hash passwords and derive keys using Argon2 within Python applications.
Node.js: Packages such as argon2 on npm offer native Node.js bindings for the C implementation, facilitating its use in JavaScript environments.
PHP: PHP 7.2 and later include native support for Argon2 via the password_hash() and password_verify() functions, simplifying its adoption in web applications (PHP password_hash() documentation).
Java: Libraries like Bouncy Castle or dedicated Argon2 implementations (e.g., jargon2) allow Java applications to utilize the algorithm.
C#: Implementations are available for .NET environments, such as Isopoh.Cryptography.Argon2, enabling C# applications to use Argon2 for security.
Go: Packages like golang.org/x/crypto/argon2 provide a native Go implementation, making it accessible for Go developers.
Ruby: Gems such as argon2 provide Ruby bindings to the underlying C library.
Rust: The argon2 crate offers a Rust implementation, allowing secure password hashing in Rust applications.

Alternatives

scrypt: Another memory-hard key derivation function designed to make large-scale custom hardware attacks costly (scrypt details on Tarsnap).
bcrypt: A widely used password hashing function based on the Blowfish cipher, known for its adaptive hashing capabilities.
PBKDF2 (Password-Based Key Derivation Function 2): A key derivation function that applies a pseudorandom function, such as HMAC, to derive a key from a master key or password.

Getting started

This example demonstrates how to hash and verify a password using Argon2id in Python with the argon2-cffi library. First, ensure you have the library installed:

pip install argon2-cffi

Then, you can use the following Python code:

from argon2 import PasswordHasher
from argon2.exceptions import VerifyMismatchError

# Initialize the Argon2 password hasher
# It's recommended to use Argon2id for most applications
ph = PasswordHasher(time_cost=2, memory_cost=16*1024, parallelism=2, hash_len=32, salt_len=16, type=0) # type=0 for Argon2id

# The password to hash
password = "mySecurePassword123"

try:
    # Hash the password
    hashed_password = ph.hash(password)
    print(f"Hashed password: {hashed_password}")

    # Verify the password
    input_password = "mySecurePassword123"
    ph.verify(hashed_password, input_password)
    print("Password verified successfully!")

    # Attempt to verify with an incorrect password
    incorrect_password = "wrongPassword"
    try:
        ph.verify(hashed_password, incorrect_password)
    except VerifyMismatchError:
        print("Incorrect password failed verification (as expected).")

except Exception as e:
    print(f"An error occurred: {e}")

This script first initializes a PasswordHasher instance with recommended parameters for Argon2id. It then hashes a sample password and subsequently attempts to verify both a correct and an incorrect password against the generated hash, demonstrating the basic usage of Argon2 for secure password storage.

Argon2