Balloon hashing

From Wikipedia, the free encyclopedia

Balloon hashing is a key derivation function presenting proven memory-hard password-hashing and modern design. It was created by Dan Boneh, Henry Corrigan-Gibbs (both at Stanford University) and Stuart Schechter (Microsoft Research) in 2016.[1][2] It is a recommended function in NIST password guidelines.[3]

The authors claim that Balloon:

Balloon is compared by its authors with Argon2, a similarly performing algorithm.[1]


There are three steps in the algorithm:[1]

  1. Expansion, where an initial buffer is filled with a pseudorandom byte sequence derived from the password and salt repeatedly hashed.
  2. Mixing, where the bytes in the buffer are mixed time_cost number of times.
  3. Output, where a portion of the buffer is taken as the hashing result.


  1. ^ a b c Boneh, Dan; Corrigan-Gibbs, Henry; Schechter, Stuart (2016-01-11). "Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks". ePrint. 2016 (27). Retrieved 2019-09-03.
  2. ^ "Balloon Hashing". Stanford Applied Crypto Group. Stanford University. Retrieved 2019-09-03.
  3. ^ NIST SP800-63B Section

External links[edit]