Re: [Cfrg] IRSG review of draft-irtf-cfrg-argon2-09

Dmitry Khovratovich <> Wed, 25 March 2020 15:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 92DDA3A0C70; Wed, 25 Mar 2020 08:08:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4JbOtLkQa0zq; Wed, 25 Mar 2020 08:08:33 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::f2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E9BD23A097A; Wed, 25 Mar 2020 08:08:32 -0700 (PDT)
Received: by with SMTP id z13so1203733qvw.3; Wed, 25 Mar 2020 08:08:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WZ63p7N1M7kYb648EbqFWRokRGXgPCA6WUIOT8zheMI=; b=W5m+SvHskoPvdrOhA+nPD7yYUz65xs9eRlNLI6PnXEm8v7Be9hG21jd6G7V5Ko/biD xyZJzN3hLp+pgfUFXVBhL9W7NjxAwlUPbqR/3PZBmyI7yWa4djfAbDok5trC+mnFwqEU PZqrVAlHzYYcSaDNa1NSoTbBrx9Wxqxh3xskFlyoCA0qF0c2PI7b6UW6zzIJHCFGydut nO85p/fdHQboYGXKiQRI6+dJw3kq5lLLPf+FOwjSPye6WqCWOjADdLF/6IoqO7qXXD1o 2tyKM6kSkm/onnIqHM73E5CDx6OuZMj5y4qkZtuKSTm4i7kPAvjy4cFYm3MCv5vh/8Vd DoaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WZ63p7N1M7kYb648EbqFWRokRGXgPCA6WUIOT8zheMI=; b=RqieCt6HlfH/10sA2R/6Z0WFJq+dsuEQmJ1/aoR0BtF4HwIbTT+8t0AASQVCuwj9zg dW5wvLkJP34wm8m+XIeNFPsj0twOdhBhaQxi74BZna96vNmpbFouBU5goYxamYnhVgNZ htR/HzQ4622ILscGaoEeOfxTX3o6qGY7QpECquwyNsMqJBl2Mby5bJWN0sNiVERZkoZ3 8o8inEYTViEUddHjkl6KODR10GVI2KdYsZiK2mpBg1S6300KPeqWAGLM+zjpR74ZodoB fH+0eiTwybwcJLNjFlepCRCeHy+GbKM6CdeTHWF5G7yoiMHvdBCbA8MQ7R9onFf99rw/ ZpZA==
X-Gm-Message-State: ANhLgQ21cE4WNLbSE9N/gYSZm+8X+K9ikWORaAJevqz8whdWXySOetHv W2nhxcON5OyNxUpGvDu+f0e4OaTrdzHjaCE0lF6mSVWSZRE=
X-Google-Smtp-Source: ADFU+vsEzs0WJyFo4A1EnfnWDHQWKLg/eHSF0JSpySDUD4TKG7LIC75MMa4eaUgIyJKKeSeM53TbS68XgDnsjq/6uOM=
X-Received: by 2002:a0c:a8e2:: with SMTP id h34mr3445572qvc.22.1585148911649; Wed, 25 Mar 2020 08:08:31 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Dmitry Khovratovich <>
Date: Wed, 25 Mar 2020 16:08:11 +0100
Message-ID: <>
To: Stephen Farrell <>
Cc: "" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000cb876b05a1af3d6a"
Archived-At: <>
Subject: Re: [Cfrg] IRSG review of draft-irtf-cfrg-argon2-09
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Mar 2020 15:08:55 -0000

Hi Stephen,

thank you so much for a detailed review.

Unfortunately, I have no control nor experience with the third-party
implementations you are talking about. I do not know if they allow printing
so detailed test vectors. I am afraid given that they contain only-memory
values, you may not see them in full in the output.

On Wed, Dec 11, 2019 at 4:41 PM Stephen Farrell <>

> Hiya,
> The issue: What is a "primary variant" and what is an
> implementer supposed to do?

This is given in section "Parameter Choice".

- Do we know if someone has implemented from the draft and

> gotten the correct result? I looked back at the cfrg list
> and didn't see that anyone said they had. It'd be great if
> we knew the text was good enough for that. (It looks fine
> to me, but I've not tried to implement from the draft.)
I did not check that.

> Nits:
> - intro: The URL for [ARGON2ESP] gets me a 404.
> That's:
> fixed

> - intro: I don't know what "Argon2 summarizes the state of
> the art" is meant to mean. Maybe you mean that argon2 is
> intended to reflect the current state of the art?
> fixed

> - 3.1: can the nonce/salt (S) have zero length?  It looks
> like that would work but be undesirable, so why not set
> a non-zero minimum? (Implementations seem to do that
> already, not sure if with the same minimum.)

Yes when bruteforce search is not an issue (key derivation for example).

> - 3.1: would it be better to say that the nonce needs to
> appear random and not reveal anything about the password
> as well as being unique-per-password? MD5(pwd) would be
> (sufficiently:-) unique-per-password but would not be a
> good nonce. I guess it's just about possible that an
> implementer might do something that silly;-(

No, the nonce does not have to be random. It can (and actually should) be
non-random but unique. In practice, it can be just User ID for many

> - 3.1: are the optional K and X values considered "absent"
> when they have length zero? (I guess so as the lengths are
> input to H_0) It might be better to be explicit about
> that.


> - 3.4: 'S' was already defined as the salt, so S = 4 for
> the slices is a bit unfortunate, though not a real issue.

> _______________________________________________
> Cfrg mailing list

Best regards,
Dmitry Khovratovich