The Password Hashing Competition (PHC) was an open competition organized from 2013 to 2015 to develop and select modern password hashing algorithms capable of resisting brute-force attacks, hardware-accelerated cracking on GPUs and ASICs, side-channel attacks, and time-memory trade-off (TMTO) vulnerabilities, thereby establishing a new standard for protecting stored passwords in light of escalating computational threats.[1][2]Initiated in the fall of 2012 by cryptographer Jean-Philippe Aumasson and a panel of experts, the PHC drew inspiration from prior cryptographic standardization efforts like the AES and SHA-3 competitions, addressing the inadequacies of legacy algorithms such as Unix crypt, MD5-based methods, bcrypt, and PBKDF2, which had become increasingly vulnerable due to advances in parallel computing hardware.[3][2] The competition's primary goals included creating schemes that are memory-hard—requiring significant random-access memory to compute, thus hindering efficient parallelization—while ensuring cryptographic security (preimage resistance, second-preimage resistance, and collision resistance), simplicity in implementation, and configurability for time, memory, and parallelism parameters.[1][2]A call for submissions was issued in the first quarter of 2013, with a deadline of March 31, 2014, resulting in 24 proposals from international researchers.[1] In December 2014, nine algorithms were shortlisted as finalists, including battcrypt, Catena, Lyra2, and yescrypt, with four others receiving special recognition for innovative features.[1] The evaluation process emphasized security analyses, performance benchmarks across hardware platforms, and resistance to known attack vectors, culminating in the announcement of Argon2 as the winner on July 20, 2015.[1][2]Designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich, Argon2 is a family of memory-hard functions based on the BLAKE2b hash, offering two main variants: Argon2d for data-dependent operations that prioritize resistance to GPU-based attacks (suitable for backend server use) and Argon2i for data-independent processing over three passes to mitigate side-channel vulnerabilities (ideal for key derivation).[2] A hybrid variant, Argon2id, was later recommended for general-purpose applications to balance both protections.[4] The PHC's outcomes have significantly influenced industry standards, with Argon2 standardized in RFC 9106 (2020) and recommended by bodies like OWASP over older algorithms and integrated into libraries such as libsodium, promoting its adoption for secure password storage in applications ranging from web services to cryptographic protocols.[1][2][5]
Background
Password Hashing Challenges
Legacy password hashing algorithms such as MD5, SHA-1, and PBKDF2 have proven highly vulnerable to brute-force attacks leveraging modern hardware like graphics processing units (GPUs) and application-specific integrated circuits (ASICs). These functions operate with minimal memory requirements, enabling massive parallelism where thousands of cores can simultaneously compute hashes without significant resource contention, drastically reducing the time needed to crack weak or common passwords. For instance, the estimated hardware cost to brute-force a 10-character password using MD5 or PBKDF2-HMAC-SHA-256 could drop to as low as $160 million with optimized GPU clusters, compared to trillions for CPU-only attacks.[6]The early 2010s marked a surge in hardware-accelerated attacks, exemplified by the 2012 LinkedIn data breach, where approximately 117 million unsalted SHA-1 password hashes were exposed and rapidly cracked using GPU clusters capable of computing billions of hashes per second. In this incident, the absence of salting allowed precomputed rainbow tables to compromise common passwords almost instantly, with over 1 million users affected by simple ones like "123456," underscoring how legacy hashes fail against parallelized offline attacks. This era saw GPU-based cracking tools proliferate, enabling attackers to test trillions of combinations annually at relatively low cost, far outpacing the defenses of low-memory functions.[7]To counter these threats, modern password hashing schemes must incorporate memory-hardness, which enforces substantial RAM usage during computation to inflate attacker hardware costs by limiting efficient parallelization and increasing the time-area product. Additional requirements include resistance to side-channel attacks, such as cache-timing leaks, through data-independent memory access patterns, and tunable parameters that allow adjustable trade-offs between computation time, memory usage, and parallelism to suit diverse security needs. Prior efforts like scrypt, introduced in 2009, pioneered memory-hard designs to deter GPU and ASIC optimizations but faced limitations as custom ASICs emerged by 2013-2014, exploiting sequential memory patterns without fully realizing the intended cost barriers.[6][2][4]These escalating challenges in password hashing security prompted the launch of the Password Hashing Competition in 2013 to solicit and standardize more robust alternatives.[2]
Initiation of the Competition
In the fall of 2012, Jean-Philippe Aumasson, a cryptographer at Kudelski Security, proposed the creation of a new standard for password hashing through a public competition, inspired by previous cryptographic contests like those for AES and SHA-3.[8][1]This initiative led to the formation of the Password Hashing Competition (PHC) committee, a panel of experts from industry, academia, and government, including Aumasson, Tony Arcieri from LivingSocial, Dmitry Chestnykh, Jeremi Gosney, Matthew Green, Peter Gutmann, and others such as those affiliated with NAGRA Kudelski Group.[1][8]The primary goals of the PHC were to develop a memory-hard function designed to resist parallel attacks from hardware like GPUs and ASICs, while promoting open-source algorithm designs and fostering rigorous community review to ensure security and practicality.[1][8]The competition was announced in early 2013 through public forums and cryptography mailing lists, such as the crypt-dev list, inviting submissions for innovative password-hashing schemes.[9][8]
Competition Process
Call for Submissions and Rules
The Password Hashing Competition (PHC) issued its call for submissions in the first quarter of 2013, inviting cryptographers to propose memory-hard password hashing schemes designed to resist brute-force attacks on specialized hardware.[1] Submissions were required to include open-source reference implementations written in portable C or C++ with an external CAPI, ensuring simplicity, readability, and royalty-free licensing to promote widespread adoption.[10] Additionally, participants had to provide a cover sheet detailing the scheme's name and submitter information, a comprehensive specification document, an initial security and efficiency analysis, test vectors covering all byte values from 0 to 255, and an intellectual property statement affirming the absence of patents or proprietary elements.[10]The core evaluation criteria emphasized four key properties to address the evolving threats to password security. Robustness required resistance to cryptographic weaknesses such as length extension attacks, side-channel vulnerabilities like timing or cache attacks, and minimal efficiency gains for crackers using GPUs, ASICs, or FPGAs compared to standard CPUs.[10]Efficiency focused on achieving balanced computational and memory costs that are tunable yet practical for mainstream software, while limiting advantages for hardware-accelerated attacks.[10]Flexibility mandated support for variable-length passwords (up to 128 bytes), a fixed 128-bit (16-byte) salt, and adjustable cost parameters for time and memory, with optional features like personalization strings.[10]Versatility aimed for schemes applicable across diverse scenarios, including interactive logins, key derivation functions, and innovative server-side protections against online attacks.[10]The evaluation process involved a public review phase where accepted submissions were posted on the PHC website for community scrutiny, followed by rigorous cryptanalysis conducted by both the open cryptographic community and the PHC committee.[10] This open approach, inspired by prior standards competitions, encouraged diverse feedback to identify flaws early, with the committee ultimately shortlisting finalists based on security proofs, performance benchmarks, and overall suitability.[10]
Timeline
The Password Hashing Competition (PHC) officially began in the first quarter of 2013, when the call for submissions was published by organizer Jean-Philippe Aumasson, inviting cryptographers to propose new password hashing schemes.[1]The submission period closed on March 31, 2014, with 24 entries received from participants worldwide.[11]Following the deadline, the submissions entered a phase of intensive public review and cryptanalysis throughout 2014, involving discussions on dedicated mailing lists and evaluations by the expert panel and the broader cryptography community.[12]On December 8, 2014, the panel announced the selection of 9 finalists after an initial screening process that assessed security, simplicity, and other criteria.[12]The competition concluded in July 2015 with the final announcement of the winner and special recognitions for additional schemes.[1]
Submissions
Overview of Submissions
The Password Hashing Competition received a total of 24 submissions by the deadline on March 31, 2014, contributed by individual researchers and collaborative teams from various countries worldwide.[1] These entries represented a broad spectrum of cryptographic innovation, with participants from academic institutions, industry, and independent experts seeking to address the limitations of existing password hashing functions.[13]The submissions demonstrated considerable diversity in their architectural approaches, including graph-based constructions that leveraged structured data dependencies, permutation-based methods for enhancing diffusion and resistance to parallelization, and designs incorporating data-dependent memory access patterns to complicate attacker optimizations.[13] For instance, some proposals utilized graph structures to enforce sequential memory access, while others employed randomized permutations to mitigate time-memory trade-off attacks. This variety reflected the community's recognition of the need for adaptable solutions across different computational environments, from low-resource devices to high-performance servers.[13]A unifying theme among the submissions was the focus on memory-hardness as a core defense mechanism against hardware-accelerated attacks, such as those using GPUs or ASICs.[13] Many designs drew on theoretical models like pebbling to prove lower bounds on memory usage during computation, ensuring that brute-force attempts would require substantial resources proportional to the intended security level.[13] This emphasis aimed to elevate the cost of parallelized cracking while maintaining reasonable performance for legitimate users.During the initial review phase, two submissions—Catfish and M3lcrypt—were withdrawn by their authors due to discovered flaws, leaving 22 active candidates for further evaluation.[12] From this pool, nine were selected as finalists to advance to the next stage of the competition.[12]
Finalists
In December 2014, the Password Hashing Competition (PHC) panel announced nine finalists selected from the initial submissions, based on their potential to address key security challenges in password hashing, including resistance to time-memory trade-off (TMTO) attacks, side-channel vulnerabilities, and hardware-accelerated attacks using GPUs or ASICs.[12] These schemes were shortlisted after preliminary reviews for their elegance, documentation quality, originality, and overall soundness, though none were deemed flawless at that stage.[12] The selection process emphasized schemes that balanced security with practical efficiency, paving the way for deeper community cryptanalysis extending into mid-2015.[12][13]The finalists included:
Argon: Designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich, this scheme employs AES as its sole external primitive and provides robust TMTO resistance through data-dependent memory access patterns, making it suitable for high-security environments.[12]
battcrypt: Submitted by Steve Thomas, it features a simple, PHP-optimized design built around Blowfish, prioritizing ease of implementation while offering basic memory-hardness properties for server-side use.[12]
Catena: Developed by Christian Forler, Stefan Lucks, and Jakob Wenzel, this modular framework draws from the provably secure Catena construction, emphasizing strong resistance to side-channel and TMTO attacks via a bracelet structure that ensures uniform memory access.[12]
Lyra2: Created by Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos, and Paulo S. L. M. Barreto, it uses a sponge-based construction with a single external primitive (BLAKE2), providing an elegant approach to sequential memory-hardness for enhanced security against parallel attacks.[12]
Makwa: Proposed by Thomas Pornin, this unique scheme supports password delegation—a feature allowing sub-passwords for access control—and includes thorough analysis against known attacks, distinguishing it for applications requiring hierarchical security.[12]
Parallel: Also by Steve Thomas, this minimalistic PBKDF2 variant focuses on low-memory scenarios by differentiating sequential and parallel computational costs, aiming for versatility in resource-constrained devices.[12]
POMELO: Designed by Hongjun Wu, it avoids external primitives entirely and incorporates partial mitigations against cache-timing attacks, offering a lightweight, self-contained option for embedded systems.[12]
Pufferfish: Submitted by Jeremi Gosney, this enhances the bcrypt family with improved GPU resistance and 64-bit optimizations, building on established designs to boost performance without sacrificing core security principles.[12]
yescrypt: Developed by Alexander Peslyak, it extends the scrypt algorithm with modular enhancements for better performance ratios and resistance to hardware attacks, leveraging proven memory-hardness techniques for broad applicability.[12]
These schemes underwent intensive scrutiny by the cryptographic community during the subsequent phase, focusing on their robustness under diverse attack models.[13]
Results
Winner: Argon2
Argon2 is a memory-hard function designed specifically for password hashing and proof-of-work applications, developed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from the University of Luxembourg.[1] It was selected as the winner of the Password Hashing Competition (PHC) in July 2015, recognized for its ability to address key challenges in secure password storage by balancing computational cost, memory usage, and resistance to parallel attacks.[1]At its core, Argon2 operates as a block-based construction that fills memory with pseudorandom values derived from the password, salt, and other inputs, making it computationally expensive for attackers to accelerate via specialized hardware. The function supports two primary modes: Argon2d, which employs data-dependent memory access to maximize resistance against GPU and ASIC-based cracking attempts, and Argon2i, which uses data-independent memory access to mitigate side-channel attacks such as timing or cache-based exploits. These modes allow for variable output lengths and inherent resistance to parallelism, ensuring that increasing the number of processing units does not proportionally reduce computation time. Key innovations include a compression function G that applies XOR and rotation operations on 64-bit blocks for mixing, combined with a BLAKE2b-based permutation P to enhance security against length-extension attacks. Tunable parameters further customize its behavior: time cost t (number of iterations or passes, ranging from 1 to 2³²-1), memory cost m (in kibibytes, corresponding to the number of 1-KiB blocks, from 8p to 2³²-1), and parallelism degree p (number of threads or lanes, from 1 to 2²⁴-1), enabling administrators to adjust security levels based on available resources.Argon2's selection as the PHC winner stemmed from its superior overall performance in resisting GPU-accelerated attacks—demonstrated through its memory-hard design that forces attackers to allocate substantial RAM per attempt—alongside robust side-channel protections in the Argon2i variant and versatile applicability across different threat models.[1] The scheme's clean, efficient architecture also provided practical advantages, such as C89-compliant reference implementations optimized for x86, ARM, and multiple operating systems, without relying on platform-specific features. To address potential trade-offs between the modes, a hybrid variant called Argon2id was later introduced, which uses data-independent addressing for the first two slices of the first pass (to resist side-channel attacks) followed by data-dependent addressing for the remainder (to bolster GPU resistance), offering broader security for general password hashing use cases.
Special Recognitions
On July 20, 2015, alongside the announcement of Argon2 as the winner, the Password Hashing Competition organizers awarded special recognition to four finalist schemes—Catena, Lyra2, yescrypt, and Makwa—for their innovative contributions to password hashing design, though none advanced to overall victory.[14][1]Catena, designed by Christian Forler, Stefan Lucks, and Jakob Wenzel, received recognition for its agile framework that allows flexible instantiation of variants and its strong resistance to side-channel attacks.[11][14] Lyra2, developed by Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos, and Paulo S. L. M. Barreto, was noted for its elegant sponge-based construction, which enhances memory hardness, and its alternative method for addressing side-channel vulnerabilities.[11][14]yescrypt, created by Alexander Peslyak, earned special mention as an improved iteration of scrypt, incorporating a Salsa20/8 core to bolster resistance against ASIC-based attacks while maintaining compatibility for upgrades from existing systems.[11][14] Makwa, authored by Thomas Pornin, was highlighted for its distinctive delegation capability, enabling secure offloading of computations, and its RSA-based approach relying on slow modular exponentiation for computational hardness.[11][14]These schemes were praised for specific strengths, such as Catena's provable resistance to time-memory trade-off attacks and yescrypt's emphasis on read-only memory requirements, making them suitable for niche applications despite not securing the top position.[14][1]
Legacy and Adoption
Standardization Efforts
Following the Password Hashing Competition (PHC), the winner Argon2 underwent formal standardization efforts to facilitate its adoption in cryptographic protocols. In September 2021, the Internet Engineering Task Force (IETF) published RFC 9106, an informational document specifying version 1.3 of Argon2 as a memory-hard function suitable for password hashing and proof-of-work applications.[5] This RFC, produced by the Crypto Forum Research Group (CFRG), recommends the Argon2id variant as the primary option, with parameters including one pass (t=1), four lanes of parallelism (p=4), and 2 GiB of memory (m=2^21 KiB), alongside a 128-bit salt and 256-bit output tag, to balance security against side-channel and GPU-based attacks.[5] A secondary recommendation provides lower resource demands with three passes (t=3), the same parallelism and salt/tag lengths, but only 64 MiB of memory (m=2^16 KiB).[5]The Argon2 specification evolved post-PHC to address identified issues and enhance security. Version 1.3, finalized in December 2015, introduced optional hybrid modes like Argon2id (data-independent for the first pass, data-dependent thereafter) to mitigate trade-off attacks while preserving resistance to side-channel vulnerabilities, and increased the maximum number of blocks to 2^32 - 1 for scalability.[4] These refinements, including corrections to block indexing and compression functions from earlier versions (e.g., v1.2.1), were incorporated into RFC 9106 to promote consistent implementation across systems.[4][5]Argon2's PHC origins have influenced broader standards bodies. The National Institute of Standards and Technology (NIST) referenced Argon2 in its December 2022 initial public draft of SP 800-63B-4 (Digital Identity Guidelines: Authentication and Lifecycle Management), citing it as an example of a suitable memory-hard, compute-intensive password hashing scheme for storing memorized secrets, but the final version published on July 31, 2025, does not include this reference.[15][16] Public comments on NIST SP 800-132 (Recommendation for Password-Based Key Derivation) from February 2023 explicitly urged inclusion of Argon2, highlighting its selection as the PHC winner to strengthen federal guidelines against brute-force attacks. As of November 2025, NIST SP 800-132 remains under revision, with ongoing consideration of including Argon2 based on public comments.[17][18]Standardization efforts extended to PHC schemes receiving special recognition, such as yescrypt, which builds on scrypt for enhanced memory-hardness and has been integrated into password hashing frameworks in multiple operating systems. For instance, yescrypt is supported in the crypt(3) library for various Unix-like systems, including Linux distributions such as Ubuntu, Debian, and Fedora via libxcrypt, enabling scalable passphrase protection without formal IETF RFC status but through community-driven refinements.[19]
Implementation in Software
Argon2, the winner of the Password Hashing Competition, has seen widespread integration into prominent software libraries and languages, facilitating its use for secure password storage. In 2017, the libsodium cryptography library incorporated Argon2, providing a high-level API that defaults to the Argon2id variant for password hashing across platforms. Similarly, PHP introduced native support for Argon2 through its password_hash function starting with version 7.2 in late 2017, with full Argon2id enhancements added in version 7.3 in 2018, allowing developers to specify PASSWORD_ARGON2ID as the algorithm. For JavaScript environments, Node.js has multiple mature modules such as node-argon2 and @node-rs/argon2, which have garnered significant adoption, with the latter exceeding millions of weekly downloads on npm as of 2024.As of 2025, Argon2's adoption extends to core systems and guidelines, underscoring its role as a de facto standard for password protection. It is integrated into major operating systems, including Linux distributions via libraries like libxcrypt for user authentication, and recommended by the OWASP in their Password Storage Cheat Sheet with specific parameters such as 19 MiB memory, 2 iterations, and 1 parallelism degree. Services like Cloudflare have implemented Argon2 in their Workers platform for serverless password hashing, while GitHub hosts numerous repositories demonstrating its use in production applications. This standardization, including RFC 9106, has streamlined its incorporation into these environments.Other PHC-recognized schemes have found niche implementations in specialized software. Yescrypt, awarded special recognition for its adaptive security features, is supported in the crypt(3) library for various Unix-like systems, including Linux distributions such as Ubuntu, Debian, and Fedora via libxcrypt, enhancing resistance to GPU-based attacks. Lyra2, similarly recognized for its multi-chain design, appears in cryptocurrency wallets and mining software, such as those for Vertcoin and Monacoin, where it derives keys from passphrases while balancing computational costs.Despite its advantages, implementing Argon2 presents challenges, particularly in parameter tuning to balance performance and security. Developers must adjust memory cost (e.g., 64-128 MiB), time cost (2-5 iterations), and parallelism (typically 1-4) to resist brute-force attacks without excessive latency; overly aggressive settings can degrade server responsiveness, as seen in benchmarks where high memory allocations increase verification times by 2-5x on resource-constrained hardware. Migration from legacy algorithms like bcrypt adds complexity, requiring hybrid verification during transition—checking old bcrypt hashes on login and re-hashing with Argon2 on success—to avoid disrupting existing users, a process that demands careful database updates and testing to prevent lockouts.