[openpgp] [PATCH] RFC4880bis: Argon2i

Nils Durner <ndurner@googlemail.com> Sun, 18 October 2015 14:20 UTC

Return-Path: <ndurner@googlemail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0ADC51A88F3 for <openpgp@ietfa.amsl.com>; Sun, 18 Oct 2015 07:20:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3rZYW4rdkZCv for <openpgp@ietfa.amsl.com>; Sun, 18 Oct 2015 07:20:08 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88ADA1A88ED for <openpgp@ietf.org>; Sun, 18 Oct 2015 07:20:08 -0700 (PDT)
Received: by wijp11 with SMTP id p11so66601203wij.0 for <openpgp@ietf.org>; Sun, 18 Oct 2015 07:20:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:subject:message-id:date:user-agent:mime-version :content-type; bh=LXUPrX3xY08jlNhhY2WKl/5EpZ159n+BLlk89aetzjo=; b=Ay5iUmroPE0EXHKX2sdfr2vYU4gT1iELooyJTjhkoc3EbcE4laKHsaZE32WuTs+xEq 2ktEdI+ZxH+JStOgFlzsjftByJw2WbcCocDiGjHEk16q8tJzvwtPIDr8MGDbY0ApbSgf /dPx6Cn/hU/uVS3Ow4jdqnMrbaj3pb45e5OyxTehkGBQS3J14Er29cpyWXJZzvp4+dO1 8g9G28vDypnDGcsH7Rvit2S3oPI/vQoIcXs1zKx60haz50fkwHOpqn0oefFd8XpR8Dym 864mT/XrivzQzttoX1WZGLzDs7wf3TqgprdOvAtjSm1mkCVKpDNOQ+YahrHFPzykHI0u rTdA==
X-Received: by with SMTP id ef8mr28144512wjd.103.1445178007071; Sun, 18 Oct 2015 07:20:07 -0700 (PDT)
Received: from [] (x4db106c5.dyn.telefonica.de. []) by smtp.googlemail.com with ESMTPSA id jj8sm11128569wid.2.2015. for <openpgp@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Oct 2015 07:20:06 -0700 (PDT)
From: Nils Durner <ndurner@googlemail.com>
X-Enigmail-Draft-Status: N1110
To: "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <5623AA95.4060903@googlemail.com>
Date: Sun, 18 Oct 2015 16:20:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------000008040907080307050501"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/IORjkQR17EURj9HQaKCqoQ2TKkI>
Subject: [openpgp] [PATCH] RFC4880bis: Argon2i
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Oct 2015 14:20:11 -0000


attached is a patch against RFC 4880bis in
git://git.gnupg.org/gnupg-doc.git to include Argon2i as an S2K method.


  * I have made room for 256-bit nonces. The Argon2 paper[0] recommends
    16 byte nonces for password hashing with a maximum length of 2^32-1.
    My reason for this is to make the nonce size equal to the AES-256
    key size so that we enjoy full key strength without relying on the
    password to contribute any entropy at all.
  * What do others think about the RECOMMENDATION of a parallelism
    degree of 1? Are use-cases known where hosts are unable to do
    multi-threading (well)?
  * Argon2 is not final yet, as far as I understand. The reference to it
    in template.xml should be checked/updated once it is.
      o Is Cryptolux.org considered a stable location to link to?
  * Private keys now MUST be protected using a salted S2K scheme

Looking at http://wiki.gnupg.org/rfc4880bis, HKDF should be removed from
the S2K candidates. From the HKDF paper[1]:

> typical PBKDFs [...] use [...] salt [...] and (ii) the slowing down of
> the KDF operation [...] This makes PBKDFs very different than the
> general-purpose KDFs studied here. In particular, while passwords can
> be modeled as a source of keying material, this source has too little
> entropy to meaningfully apply our extractor approach
So it cannot be used directly and the changes required to make it a
suitable PBKDF would replicate the work done for the Password Hashing
Competition[2] which selected Argon2 as the basis for its winner[3].



[0] https://www.cryptolux.org/images/0/0d/Argon2.pdf
[1] https://password-hashing.net/
[2] https://groups.google.com/forum/#!topic/crypto-competitions/3QNdmwBS98o