Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)

[Daniel Huigens <d.huigens@protonmail.com>]

On Wednesday, July 27th, 2022 at 11:42, Bruce Walzer wrote:

> The incorrect fact in this case is
> that Argon2 will work in some sort of slower degraded mode in the case
> where not enough memory is available.

I didn't claim that it "will work" unconditionally; what I wrote is:

> The decrypting implementation doesn't necessarily have to allocate 2TB,
> it can do with less, it will just be slow.

Emphasis on *can*; I didn't claim that RFC 9106 mandates this, and I
also haven't checked what common implementations do, but it is possible,
by recomputing blocks that are not stored when needed.

In any case, I personally think that it's perfectly reasonable to return
an error if the Argon2 parameters call for allocating 2TB. That is way
beyond the values recommended by RFC 9106. And in general, if decrypting
a message requires more memory than is available it can return an error,
of course.

If your point is that we should agree on acceptable parameters to use
when generating a message, to prevent that from happening, I agree;
I would propose to use the first recommended value (2GiB) as an upper
bound, *unless* the implementation knows that the message will be
decrypted on the same device it was encrypted on, and knows that there
is more memory available.

Arguably, that's what the current text already says: it's recommended
to use the recommended options in RFC 9106, and for applications that
can't or don't want to tailor to specific hardware, the option with
2GiB of RAM is recommended. However, if you want to propose some text
to make that clearer, I think that would be welcome.

Best,
Daniel