Re: [Cfrg] IRSG review of draft-irtf-cfrg-argon2-09
Dmitry Khovratovich <khovratovich@gmail.com> Wed, 25 March 2020 15:08 UTC
Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92DDA3A0C70; Wed, 25 Mar 2020 08:08:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4JbOtLkQa0zq; Wed, 25 Mar 2020 08:08:33 -0700 (PDT)
Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9BD23A097A; Wed, 25 Mar 2020 08:08:32 -0700 (PDT)
Received: by mail-qv1-xf2f.google.com with SMTP id z13so1203733qvw.3; Wed, 25 Mar 2020 08:08:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WZ63p7N1M7kYb648EbqFWRokRGXgPCA6WUIOT8zheMI=; b=W5m+SvHskoPvdrOhA+nPD7yYUz65xs9eRlNLI6PnXEm8v7Be9hG21jd6G7V5Ko/biD xyZJzN3hLp+pgfUFXVBhL9W7NjxAwlUPbqR/3PZBmyI7yWa4djfAbDok5trC+mnFwqEU PZqrVAlHzYYcSaDNa1NSoTbBrx9Wxqxh3xskFlyoCA0qF0c2PI7b6UW6zzIJHCFGydut nO85p/fdHQboYGXKiQRI6+dJw3kq5lLLPf+FOwjSPye6WqCWOjADdLF/6IoqO7qXXD1o 2tyKM6kSkm/onnIqHM73E5CDx6OuZMj5y4qkZtuKSTm4i7kPAvjy4cFYm3MCv5vh/8Vd DoaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WZ63p7N1M7kYb648EbqFWRokRGXgPCA6WUIOT8zheMI=; b=RqieCt6HlfH/10sA2R/6Z0WFJq+dsuEQmJ1/aoR0BtF4HwIbTT+8t0AASQVCuwj9zg dW5wvLkJP34wm8m+XIeNFPsj0twOdhBhaQxi74BZna96vNmpbFouBU5goYxamYnhVgNZ htR/HzQ4622ILscGaoEeOfxTX3o6qGY7QpECquwyNsMqJBl2Mby5bJWN0sNiVERZkoZ3 8o8inEYTViEUddHjkl6KODR10GVI2KdYsZiK2mpBg1S6300KPeqWAGLM+zjpR74ZodoB fH+0eiTwybwcJLNjFlepCRCeHy+GbKM6CdeTHWF5G7yoiMHvdBCbA8MQ7R9onFf99rw/ ZpZA==
X-Gm-Message-State: ANhLgQ21cE4WNLbSE9N/gYSZm+8X+K9ikWORaAJevqz8whdWXySOetHv W2nhxcON5OyNxUpGvDu+f0e4OaTrdzHjaCE0lF6mSVWSZRE=
X-Google-Smtp-Source: ADFU+vsEzs0WJyFo4A1EnfnWDHQWKLg/eHSF0JSpySDUD4TKG7LIC75MMa4eaUgIyJKKeSeM53TbS68XgDnsjq/6uOM=
X-Received: by 2002:a0c:a8e2:: with SMTP id h34mr3445572qvc.22.1585148911649; Wed, 25 Mar 2020 08:08:31 -0700 (PDT)
MIME-Version: 1.0
References: <5f2c217a-60d2-83a9-f7d4-99997d5d5e65@cs.tcd.ie>
In-Reply-To: <5f2c217a-60d2-83a9-f7d4-99997d5d5e65@cs.tcd.ie>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Wed, 25 Mar 2020 16:08:11 +0100
Message-ID: <CALW8-7LjZjnYmm6CZEyxh=FWPTBMpsWDRm8k36XEoFJRkR=4zw@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>, "irsg@irtf.org" <irsg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000cb876b05a1af3d6a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dLog241yQsU5MNYcnUCBaUX-T6c>
Subject: Re: [Cfrg] IRSG review of draft-irtf-cfrg-argon2-09
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 15:08:55 -0000
Hi Stephen, thank you so much for a detailed review. Unfortunately, I have no control nor experience with the third-party implementations you are talking about. I do not know if they allow printing so detailed test vectors. I am afraid given that they contain only-memory values, you may not see them in full in the output. On Wed, Dec 11, 2019 at 4:41 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > The issue: What is a "primary variant" and what is an > implementer supposed to do? This is given in section "Parameter Choice". - Do we know if someone has implemented from the draft and > gotten the correct result? I looked back at the cfrg list > and didn't see that anyone said they had. It'd be great if > we knew the text was good enough for that. (It looks fine > to me, but I've not tried to implement from the draft.) > > I did not check that. > Nits: > > - intro: The URL for [ARGON2ESP] gets me a 404. > That's: https://www.cryptolux.org/images/0/0d/Argon2ESP.pdf > > fixed > - intro: I don't know what "Argon2 summarizes the state of > the art" is meant to mean. Maybe you mean that argon2 is > intended to reflect the current state of the art? > > fixed > - 3.1: can the nonce/salt (S) have zero length? It looks > like that would work but be undesirable, so why not set > a non-zero minimum? (Implementations seem to do that > already, not sure if with the same minimum.) > Yes when bruteforce search is not an issue (key derivation for example). > > - 3.1: would it be better to say that the nonce needs to > appear random and not reveal anything about the password > as well as being unique-per-password? MD5(pwd) would be > (sufficiently:-) unique-per-password but would not be a > good nonce. I guess it's just about possible that an > implementer might do something that silly;-( > No, the nonce does not have to be random. It can (and actually should) be non-random but unique. In practice, it can be just User ID for many backends. > > - 3.1: are the optional K and X values considered "absent" > when they have length zero? (I guess so as the lengths are > input to H_0) It might be better to be explicit about > that. > Added. > > - 3.4: 'S' was already defined as the salt, so S = 4 for > the slices is a bit unfortunate, though not a real issue. > > Fixed > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- Best regards, Dmitry Khovratovich
- [Cfrg] IRSG review of draft-irtf-cfrg-argon2-09 Stephen Farrell
- Re: [Cfrg] IRSG review of draft-irtf-cfrg-argon2-… Colin Perkins
- Re: [Cfrg] IRSG review of draft-irtf-cfrg-argon2-… Dmitry Khovratovich