It's a fact that scrypt and argon2 are the two dominant memory hard KDFs. But which one of them is more recommendable for password hashing? scrypt is older and as far as I know resistant to almost every kind of hardware based attack. But vulnerable to side channel attacks. How strong is argon2 (i/d) compared in the regards of memory hardness and side channel resistance?
Asked
Active
Viewed 8,418 times
1 Answers
7
As far as I read, scrypt can be used for some time/memory tradeoffs where you save memory but take more computations, which may truly be an annoying thing.
Argon2d uses data dependent on the input (i.e. the password), which makes it a lot stronger against these tradeoff attacks but opens side-channels (which IIRC is only a problem if you have an attacker directly on your computer, meaning that it isn't too bad on web servers you don't share with others).
Argon2i instead has independent data, which thwarts the side channels but has it a little more open against the tradeoff, so not the best idea but still not a bad thing.
And then there's Argon2id, which uses them in a hybrid way to thwart both tradeoffs and side channels.
The IETF draft states:
If you do not know the difference between them or you consider side-channel attacks as viable threat, choose Argon2id.
So the best way to go would be Argon2id.
By the way, a small update:
PHP has Argon2id set for going into 7.3 and unless something goes seriously wrong in the next few days until Feature Freeze, it will be a part of PHP 7.3's password_hash(), making it available to people without access to extensions.
