Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)

Bruce Walzer <bwalzer@59.ca> Tue, 02 August 2022 16:16 UTC

Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B85F8C15C511 for <openpgp@ietfa.amsl.com>; Tue, 2 Aug 2022 09:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nt11k7Ne8_S1 for <openpgp@ietfa.amsl.com>; Tue, 2 Aug 2022 09:16:16 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB218C14CF12 for <openpgp@ietf.org>; Tue, 2 Aug 2022 09:16:16 -0700 (PDT)
Received: from [10.0.0.2] (helo=ohm.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_CHACHA20_POLY1305_SHA256 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oIuYz-000Nl9-Tw; Tue, 02 Aug 2022 11:16:10 -0500
Date: Tue, 02 Aug 2022 11:16:08 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Justus Winter <justus@sequoia-pgp.org>, openpgp@ietf.org
Message-ID: <YulNyD1gnC0U+1pN@ohm.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca> <875yjhjg2c.fsf@thinkbox> <YuP093G0UKhAJF4U@watt.59.ca> <152ab077-e4c9-7aed-8b44-4e999ed19e89@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <152ab077-e4c9-7aed-8b44-4e999ed19e89@cs.tcd.ie>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/sL8wv5G1ao-oC4fQR3GypdWxD4M>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 16:16:17 -0000

On Sat, Jul 30, 2022 at 05:20:07PM +0100, Stephen Farrell wrote:

[...]

> It's perfectly fine to try figure out better wording that
> describes how to use argon2 and it's unfortunate parameters,
> and if it turns out there's some parameter set that might
> cause issues for some openpgp implementation/deployment then
> that's worth exploring and documenting.

I think this begs the question in that it assumes that there might be
particular parameter sets that could be excluded to make things
work. I don't see this as a parameter problem. When Argon2 is used in
a normal way the parameters (CPU, threads, memory) are deliberately
set to, as much as is possible, prevent the hash from being done on
any other system. This is true even to the extent that it is designed
to run badly on any other platform than x86. The entire idea behind
Argon2 is to prevent interoperability and the parameters exist to make
that possible. The root question here is how to use such a scheme in a
messaging standard intended to facilitate interoperability. There
might be combinations of parameters that would make this practical and
possible but so far the closest thing I have heard to this end is that
perhaps we should limit the amount of memory to 2 GB.

OpenPGP is to a greater extent than others a standard that belongs to
its users. As a user I am asking that any proposal for change be made
definite enough that I (and others) can reasonably evaluate it.

Bruce