Balloon hashing

Balloon hashing is a key derivation function presenting proven memory-hard password-hashing and modern design. It was created by Dan Boneh, Henry Corrigan-Gibbs (both at Stanford University) and Stuart Schechter (Microsoft Research) in 2016. It is a recommended function in NIST password guidelines.

The authors claim that Balloon:
 * has proven memory-hardness properties,
 * is built from standard primitives: it can use any standards non-space-hard cryptographic hash function as a sub-algorithm (e.g., SHA-3, SHA-512),
 * is resistant to side-channel attacks: the memory access pattern is independent of the data to be hashed,
 * is easy to implement and matches the performance of similar algorithms.

Balloon is compared by its authors with Argon2, a similarly performing algorithm.

Algorithm
There are three steps in the algorithm:
 * 1) Expansion, where an initial buffer is filled with a pseudorandom byte sequence derived from the password and salt repeatedly hashed.
 * 2) Mixing, where the bytes in the buffer are mixed time_cost number of times.
 * 3) Output, where a portion of the buffer is taken as the hashing result.