Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt

"Paterson, Kenny" <> Thu, 15 June 2017 14:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2213112E040 for <>; Thu, 15 Jun 2017 07:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rxOTTbyEklUV for <>; Thu, 15 Jun 2017 07:16:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 66C50126B6D for <>; Thu, 15 Jun 2017 07:16:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DyaAmSR49Fz3gWHHjSpswu8jYbLC5PWYNGUT6ciQ7Ls=; b=mzxP01YG2Xy3YSF+mlkMsqhkJVh2HTwhw5/aZ9Srb74AxniUT7a6NBo2jf9/NLH3rPe2j8UBFY59YUh+1MRtY/IwgVEApc/mR+vDN52Y8HzDE3jTvIyqk6wAnZPsX4NPvxpyGLs6dPdD4SVrFxxus2q94VS/bDjEOEHSZygKY+0=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1157.12; Thu, 15 Jun 2017 14:16:47 +0000
Received: from ([fe80::9dfc:6390:892b:6c59]) by ([fe80::9dfc:6390:892b:6c59%14]) with mapi id 15.01.1157.017; Thu, 15 Jun 2017 14:16:46 +0000
From: "Paterson, Kenny" <>
To: "" <>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt
Thread-Index: AQHSpud0G7Nvk2NWAEWKLkFqd0wSnqGoglCAgH4EpoA=
Date: Thu, 15 Jun 2017 14:16:46 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1905; 7:5/GN8F0iZtByc/uLw62uY9K+jMXFYVBq+J0LhHFk1aoP5JYooU9N0twE63dA19VxAPJTpRIuk9RH8GcNf5i4ek1nSQrP2pcywr5tWN6yN5rzfcgvnSApH8KuB/2BKI4CYEZObs+LkipuRo66jfzqv23+tArqJDOOU5siYNqUwZiqg9DjylzN92rQWYg2AgfdEVIV3RLKvddmpUE8EMzRU921KyJe4+nIHpeU7nB4JJZhqcu5SdxexXTfxTqsD50q8DHDxY4qcNAwTjkqHY36WU0Y+jqksgLAz4lQnYxngXehYiZpZoSyqtKToJYP5CAH5Fm7quFu4DCCic1bXtD52g==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(39840400002)(39400400002)(39850400002)(39410400002)(24454002)(377454003)(377424004)(6436002)(413944005)(2351001)(39060400002)(478600001)(5640700003)(66066001)(14454004)(6486002)(50986999)(53546009)(54356999)(25786009)(4326008)(2900100001)(74482002)(72206003)(966005)(6506006)(2906002)(6512007)(38730400002)(110136004)(3660700001)(53936002)(3280700002)(76176999)(2950100002)(6246003)(5660300001)(5250100002)(229853002)(551544002)(230783001)(305945005)(42882006)(6916009)(8936002)(1730700003)(81166006)(99286003)(8676002)(2501003)(4001350100001)(102836003)(3846002)(36756003)(6116002)(189998001)(86362001)(6306002)(83506001)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1905;; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
x-ms-traffictypediagnostic: AM4PR0301MB1905:
x-ms-office365-filtering-correlation-id: 90e7ecba-8821-464b-db68-08d4b3f92835
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:AM4PR0301MB1905;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6041248)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123555025)(20161123558100)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR0301MB1905; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR0301MB1905;
x-forefront-prvs: 0339F89554
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2017 14:16:46.8148 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1905
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-argon2-02.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Jun 2017 14:16:54 -0000

Dear CFRG,

Dmitry Khovratovich kindly presented the latest draft for Argon2 at the
interim CFRG meeting in Paris. For those of you who could not attend, his
slides can be found here:

My sense from the constructive discussion that took place after Dmitry's
talk in Paris was that there are now no remaining serious objections to
the recommended parameters in the latest version of the draft:

If there are further substantive technical comments from the CFRG
membership, the chairs would be grateful if they could be brought to the
list in the next few days.

Assuming we have indeed reached consensus, then we will be in a position
to move to last call for this ID.


Kenny (for the chairs)

On 27/03/2017 11:51, "Cfrg on behalf of Dmitry Khovratovich"
< on behalf of> wrote:

>Some comments on a new draft:VariantsArgon2 fills M bytes of memory in T
>iterations over
> it, with M and T being the parameters supplied to Argon2 and determining
>its performance. Speed on a typical server is linear in the MT product.
>The Argon2 family has three variants: I, D, and
> ID, which differ in the way of reusing memory that has been filled. The
>I variant makes queries with predictable addresses, whereas D determines
>the addresses on the fly depending on the current state (and thus the
>password). The ID variant follows I for the
> first half of the memory used and D for the rest and while overwriting.
>Side-channelsThe side-channel attacks, which are of still rising
> concern in the security community, are applicable to the D variant as
>the memory addresses and thus information about the password or other
>secret inputs can be determined from the timing leaks. The I variant is
>completely invulnerable to this attack, and
> the ID variant provides only a constant factor improvement for the
>Hardware and tradeoffsThe M and T parameters determine the cost of
> passwords on custom hardware, which is proportional to M2T
> if we follow the traditional time-area product metric. The time-memory
>tradeoff analysis [2] shows that the bruteforce cost for the I variant
>can be changed to M2T/Q(M,T)
> for some quality function Q. For instance, Q(230,1)=5,
> Q(230,4)=2.5.
>The D variant is invulnerable to the approach [2],
> and the savings factor in the ID variant is upper bounded by factor 2
>for all parameters.
>Defender tradeoff and ultimate
> recommendationsIn public and private conversations with security
> architects in the industry we learned that the bottleneck in a system
>employing the password-hashing function is the function latency rather
>than memory costs. We then assume that a rational defender would like to
>maximize the bruteforce costs for the attacker
> equipped with a list of hashes, salts, and timing information, for fixed
>computing time on the
> defender’s machine.  In this assumption the defender keeps the MT
>product constant and maximizes the losses M/Q(M,T).
> The authors of [2] provides us with attack cost estimates for constant
>MT = 228,230,232
> (measured in iteration-bytes)
>We ultimately recommend the ID variant with T=1 and maximum M as a
>default setting for all environments, which is secure
> against side-channel attacks and prohibit adversarial advantage on
>dedicated bruteforce hardware.
>“Efficiently Computing Data-Independent
> Memory-Hard Functions” <>
>“Towards Practical Attacks on
> Argon2i and Balloon Hashing”  <>
>On Mon, Mar 27, 2017 at 12:46 PM, <> wrote:
>A New Internet-Draft is available from the on-line Internet-Drafts
>This draft is a work item of the Crypto Forum of the IETF.
>        Title           : The memory-hard Argon2 password hash and
>proof-of-work function
>        Authors         : Alex Biryukov
>                          Daniel Dinu
>                          Dmitry Khovratovich
>                          Simon Josefsson
>        Filename        : draft-irtf-cfrg-argon2-02.txt
>        Pages           : 26
>        Date            : 2017-03-27
>   This document describes the Argon2 memory-hard function for password
>   hashing and proof-of-work applications.  We provide an implementer
>   oriented description together with sample code and test vectors.  The
>   purpose is to simplify adoption of Argon2 for Internet protocols.
>The IETF datatracker status page for this draft is:
>There are also htmlized versions available at:
>A diff from the previous version is available at:
>Please note that it may take a couple of minutes from the time of
>until the htmlized version and diff are available at
> <>.
>Internet-Drafts are also available by anonymous FTP at:
>Cfrg mailing list
>Best regards,
>Dmitry Khovratovich