Some clarifications due to the increased attention to the paper by Alwen
and Blocki, which has been presented at the recent Eurocrypt CFRG meeting.

1. One of security parameters of memory-hard password hashing functions is
how much an ASIC attacker can reduce the area-time product (AT) of a
password cracker implemented on ASIC. The AT is conjectured to be
proportional to the amortized cracking cost per password.

2. The memory-hard functions with input-independent memory access (such as
Argon2i) have been known for its relatively larger AT-reduction factor
compared to functions with input-dependent memory access (such as Argon2d).
To mitigate this, the minimum of 3 passes over memory for Argon2i was set.

3. The best attacks on Argon2, published in the original design document in
early 2015, have factor 1.3 for Argon2d and factor 3 for Argon2i.

4. The best attack found by Alwen and Blocki has factor 2 for Argon2i.

5. In a bit more details, the advantage of the Alwen-Blocki attack is upper
bounded by (M^{1/4})/36, where M is the number of kilobytes used by
Argon2i. Thus the attack has factor 2 with memory up to 16 GB, and less
than 1 for memory up to 1 GB. Details in Section 5.6 of
https://www.cryptolux.org/images/0/0d/Argon2.pdf

Best regards,
the Argon team