Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Argon2 constants decision #6

Closed
AlexGustafsson opened this issue Apr 18, 2019 · 3 comments
Closed

Argon2 constants decision #6

AlexGustafsson opened this issue Apr 18, 2019 · 3 comments

Comments

@AlexGustafsson
Copy link

How did you decide upon the constants to use for the Argon2 algorithm? The constants in question are parallelism, memory to use and number of iterations.

Side note: I like the fact that you’ve argued for the type of Argon2 algorithm to use in the code. The same would be great for the constants!

@maqp
Copy link
Owner

maqp commented Apr 18, 2019

Hi! You're right. This needs to be available, and it needs to be in relation to the best practices.

Also, since the previous work done to balance memory_cost and time_cost to meet the key derivation time haven't been properly documented at the time, I'm going to redo this part for the next release.

@maqp
Copy link
Owner

maqp commented Apr 21, 2019

The 1.19.04 version now uses the best practices. It uses as much memory as possible (if more than 6GiB is available, it's according to the RFC draft's recommendation for disk encryption key derivation) and adjusts time_cost until key derivation takes between three and four seconds (min value is again the RFC darft's recommendation for disk encryption key derivation). If after the time_cost it set key derivation takes longer than 4 seconds, the implementation keeps the time_cost and does a binary search for memory_cost that has key derivation time in the set range. Closing.

@maqp maqp closed this as completed Apr 21, 2019
@maqp
Copy link
Owner

maqp commented Feb 16, 2020

As an update, the latest RFC draft for Argon2 recommends Argon2id with time_cost=1 and maximum possible memory_cost. This is problematic as TFC might also be run on devices with fast(ish) CPU but limited amount of RAM. It's therefore better the keep the current version with automatically tuned settings.

Furthermore, with PSKs TFC can't guess how much RAM the contact has, so memory_cost can not be set as high as with protection of local databases. Therefore the the time_cost needs to remain high and memory_cost somewhat low. These values will probably be updated every few years, as lower-end hardware evolves and packs more RAM. The PSKs parameters should match the performance of 2..4 year old netbooks originally sold in the price point of ~$200.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants