The balloon hashing algorithm has been compared to the argon2 algorithm, and with its memory accesses being password independent it is most similar to argon2i. Sources such as the RFC for argon2 and OWASP recommends the use of argon2id for password hashing above both argon2i and argon2d, and I've seen many others make the same recommendation.
Therefore I was thinking of how to make the balloon hash act more like argon2id instead of argon2i. I couldn't find any resources where this was done, so since it seemed like a simple modification I came up with a suggestion of my own. In section 3.1 of the balloon paper they describe the algorithm and provide a pseudocode outline. In step 2b:
// Step 2b. Hash in pseudorandomly chosen blocks.
for i from 0 to delta-1:
block_t idx_block = ints_to_block(t, m, i)
int other = to_int(hash(cnt++, salt, idx_block)) mod s_cost
buf[m] = hash(cnt++, buf[m], buf[other])
in order to create the argon2d-like algorithm, would it be enough to change the index of the dependency blocks to be password dependent? I.e. changing that line to the following:
int other = to_int(hash(cnt++, salt, password, idx_block)) mod s_cost
So the first half of the rounds are the regular "i-variant" and the second half is this proposed "d-variant", making the whole more similar to argon2id. I can't see any obvious issues with this idea. Maybe there are other places where this has already been investigated or discussed? It would be a simple extension of balloon hash, and it felt logical since it's been compared to argon2.
