brypt vs scrypt vs Argon2

  • Prefer Argon2 over scrypt
  • Prefer scrypt over bcrypt

bcrypt

  • it lacks memory hardness
  • there is (some) interest in attacking bcrypt using hybrid ARM / FPGA SoCs

scrypt

  • scrypt has memory hardness as part of its design
  • scrypt memory hardness is tied to a single scalar cost factor
  • scrypt iteration count is tied to a single scalar cost factor

Argon2

  • Argon2 won the PHC in 2015
  • Argon2 is built around AES cipher and most modern x86_64 and ARMv8 processors implement an AES instruction set extension
  • Argon2 is resistant to ranking tradeoff attacks
  • Argon2 allows to parametrize the memory hardness, the CPU hardness and a parallelism factor
  • Argon2 has three different implementations: Argon2d, Argon2i and Argon2id
  • Argon2d is computationally expensive and resistant to acceleration by GPUs, FPGAs, and ASICs with limited memory bandwidth
  • Argon2i selects memory addresses independently of the password. This reduces its resistance to GPU cracking, but eliminates the side-channel attack.
  • Argon2id is a hybrid approach: the 1st pass uses the Argon2i and subsequent passes use the Argon2d