IETF Logo Mail Archive

Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)

Bruce Walzer <bwalzer@59.ca> Wed, 03 August 2022 15:47 UTC

Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 208C0C157B41 for <openpgp@ietfa.amsl.com>; Wed, 3 Aug 2022 08:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UaR7lOXD_krR for <openpgp@ietfa.amsl.com>; Wed, 3 Aug 2022 08:47:03 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C901C14CF00 for <openpgp@ietf.org>; Wed, 3 Aug 2022 08:47:03 -0700 (PDT)
Received: from [10.0.0.2] (helo=ohm.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_CHACHA20_POLY1305_SHA256 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oJGZw-000CrM-9Z; Wed, 03 Aug 2022 10:46:36 -0500
Date: Wed, 03 Aug 2022 10:46:34 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Daniel Huigens <d.huigens@protonmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Justus Winter <justus@sequoia-pgp.org>, openpgp@ietf.org
Message-ID: <YuqYWiPSitbCJtk4@ohm.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca> <875yjhjg2c.fsf@thinkbox> <YuP093G0UKhAJF4U@watt.59.ca> <152ab077-e4c9-7aed-8b44-4e999ed19e89@cs.tcd.ie> <YulNyD1gnC0U+1pN@ohm.59.ca> <Omn5mCBFz0ccFYcDgRjHCKseR_9ixmz1CTG55SDrNRysaY5Ni0i3I8ICzpPNOW0nWKcOnxIuWhUwIugXOdN-zcDil_ftWVALPXWPpSsjWnc=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Omn5mCBFz0ccFYcDgRjHCKseR_9ixmz1CTG55SDrNRysaY5Ni0i3I8ICzpPNOW0nWKcOnxIuWhUwIugXOdN-zcDil_ftWVALPXWPpSsjWnc=@protonmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/20PMDEUhqu5v_XyRliMEIpAxZnk>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2022 15:47:06 -0000

On Tue, Aug 02, 2022 at 04:58:59PM +0000, Daniel Huigens wrote:
> On Tuesday, August 2nd, 2022 at 12:16, Bruce Walzer wrote:
> 
> > I don't see this as a parameter problem. When Argon2 is used in
> > a normal way the parameters (CPU, threads, memory) are deliberately
> > set to, as much as is possible, prevent the hash from being done on
> > any other system.
> 
> This is not true at all. The first recommended parameter set is
> explicitly given as a "uniformly safe option that is not tailored to
> your application or hardware".

I can't help but point out that this is somewhat ambiguous as
stated. The first recommended parameter set in RFC 9106 is 2 lanes and
250 MB of RAM which is intended for cryptocurrency mining. From
context it is clear you meant the FIRST RECOMMENDED option which is 1
iteration, 4 lanes and 2 GiB of RAM. I am being deliberately difficult
here to highlight how vague this all is. The actual Argon2 proposal in
draft 6 doesn't recommend anything at all but merely suggests a place
where you might find some recommendations. Anyway to your point...

I was making a more general point. By the very nature of what we are
doing with Argon2 we are attempting to employ resources that an
attacker does not have in their context. What we might choose as a
default does not not change this fundamental principle.

[...]

> > This is true even to the extent that it is designed
> > to run badly on any other platform than x86.
> 
> Citation needed? Being optimized for the x86 architecture is not the
> same as being "designed to run badly on any other platform than x86".

It is obvious we are looking at the same thing, but a citation was
requested, so:

>From RFC 9106, sec 1:

>Argon2 is optimized for the x86 architecture and exploits the cache
>and memory organization of the recent Intel and AMD processors.


This is a password hashing function, absolute performance is irrelevant. Only performance relative to that achieved by an attacker is important. What possible reason would there be to heavily optimize Argon2 on x86 other than to make that platform the fastest relative to other platforms? In other words, to make it run worse on any other platforms.

Bruce

v2.23.0 | Report a Bug | By Email