Re: [openpgp] Memory requirement for Argon2 (draft-06, sec 3.7.1.4)
Bruce Walzer <bwalzer@59.ca> Thu, 21 July 2022 15:26 UTC
Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C4EC13C504 for <openpgp@ietfa.amsl.com>; Thu, 21 Jul 2022 08:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckKS92bbNHZZ for <openpgp@ietfa.amsl.com>; Thu, 21 Jul 2022 08:26:14 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F4064C14F6EB for <openpgp@ietf.org>; Thu, 21 Jul 2022 08:26:13 -0700 (PDT)
Received: from [10.0.0.2] (helo=ohm.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_CHACHA20_POLY1305_SHA256 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oEY3s-000J5b-5S; Thu, 21 Jul 2022 10:26:00 -0500
Date: Thu, 21 Jul 2022 10:25:58 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Message-ID: <YtlwBsk5qGIhEl7e@ohm.59.ca>
References: <YtHYPyDPY7nm5iSW@ohm.59.ca> <21Rcis4rNky_9wwR_P8GouVhsG9epEjx8lWh2xhTnpj2eTm1iFy-t3VoPTbNULXZEzX-dnTsk0DO_91EB0pUxjQrnVZy_cDJYaXv9utxYfQ=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <21Rcis4rNky_9wwR_P8GouVhsG9epEjx8lWh2xhTnpj2eTm1iFy-t3VoPTbNULXZEzX-dnTsk0DO_91EB0pUxjQrnVZy_cDJYaXv9utxYfQ=@protonmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/zpxkF2sJUkrEHEBzRLA4qtBgi5w>
Subject: Re: [openpgp] Memory requirement for Argon2 (draft-06, sec 3.7.1.4)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 15:26:14 -0000
On Mon, Jul 18, 2022 at 10:22:21AM +0000, Daniel Huigens wrote: > Hi Bruce, > > Since Argon2 is a symmetric construct, as a first assumption I think > it's not unreasonable to say that the file will most likely be > decrypted on the same device it was encrypted on. True, but OpenPGP primarily exists for interoperability between different systems/devices. The interoperability of both encrypted files and encrypted private keys in this case. In cases where interoperability is not required then you won't see the use of something like OpenPGP. Remote backup systems are a good example, they almost always create their own encryption structure, to meet the needs of their own process. > Of course, that won't > always be the case, but if it's not it's not the end of the world, it > will just be slower (or faster). Then the question is more specifically: how much slower? There has to come a point where it takes long enough to no longer be usable. > In my opinion, the first recommended option should be fine, if the > implementation doesn't know about the hardware that will be used to > decrypt. The reason we don't standardize it is because these > recommendations might change in the future. OK, then 2GB it is. How much computational effort can I put in to make it so that the time to decrypt is reasonable over a reasonable range of systems after having specified 2GB? As a practical example, GnuPG adjusts the amount of computational effort so that it takes 0.1 seconds to decrypt on the system the S2K operation was done on. Picking a reasonable upper limit of 10 seconds means that the target system can be two orders of magnitude slower before we hit our limit. That's a lot of range. How could I do something as good using the parameters of Argon2? Instead of just one parameter I have at least three. It makes it a complicated problem with a lot of required assumptions. Looking at this from the perspective of usability, how can I, the application programmer provide some benefit to the user by picking Argon2 instead of the current alternative? The potential benefit is that the user could have a passphrase that is one word shorter (two words shorter is unrealistic). Would it be possible to provide that one word benefit? If yes, it is not clear to me how to set the parameters so as to do that without risking an unreasonably long wait on some reasonable systems. If no, then why bother with Argon2 at all for OpenPGP? I can't help but point out that this feels like another example of what can happen when methods are grafted from one medium (client server) to a different medium without careful consideration. There is a potential advantage here, but more work needs to be done to clearly identify it and properly define the path to realizing it. Bruce
- [openpgp] Memory requirement for Argon2 (draft-06… Bruce Walzer
- Re: [openpgp] Memory requirement for Argon2 (draf… Daniel Huigens
- Re: [openpgp] Memory requirement for Argon2 (draf… Bruce Walzer
- Re: [openpgp] Memory requirement for Argon2 (draf… Daniel Huigens
- Re: [openpgp] Memory requirement for Argon2 (draf… Justus Winter
- Re: [openpgp] Memory requirement for Argon2 (draf… Bruce Walzer
- Re: [openpgp] Memory requirement for Argon2 (draf… Daniel Huigens
- Re: [openpgp] Memory requirement for Argon2 (draf… Werner Koch