Mailing List Archive

Argon2
Hello,

Jussi, if you have any idea about implementing Argon2 in libgcrypt,
please let us know.

Let me explain the background of mine.

Use of Argon2 in OpenPGP message were discussed sometimes.

- 2015-10-18 about Argon2i:
https://mailarchive.ietf.org/arch/browse/openpgp/?gbt=1&index=IORjkQR17EURj9HQaKCqoQ2TKkI

- These days: Proposed change including S2K with Argon2id:
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/72/diffs

For GnuPG, it's not that important, I suppose. Probably, we won't use.
Perhaps, at maximum, it will be (only) for interoperability to other
OpenPGP implementation exchanging secret keys.

For libgcrypt, on the other hand, I think that it's good if we support
Argon2 as crypto library. When KDF supports Argon2, it's good.


So, I wonder about how we add Argon2 into libgcrypt.

Now, I looked at this code:

https://github.com/P-H-C/phc-winner-argon2
CC0 or Apache Public License 2.0

Any ideas?
--

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: Argon2 [ In reply to ]
Hello,

On 15.10.2021 11.09, NIIBE Yutaka wrote:
> Hello,
>
> Jussi, if you have any idea about implementing Argon2 in libgcrypt,
> please let us know.
>
> Let me explain the background of mine.
>
> Use of Argon2 in OpenPGP message were discussed sometimes.
>
> - 2015-10-18 about Argon2i:
> https://mailarchive.ietf.org/arch/browse/openpgp/?gbt=1&index=IORjkQR17EURj9HQaKCqoQ2TKkI
>
> - These days: Proposed change including S2K with Argon2id:
> https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/72/diffs
>
> For GnuPG, it's not that important, I suppose. Probably, we won't use.
> Perhaps, at maximum, it will be (only) for interoperability to other
> OpenPGP implementation exchanging secret keys.
>
> For libgcrypt, on the other hand, I think that it's good if we support
> Argon2 as crypto library. When KDF supports Argon2, it's good.
>

Yes, it would be nice if libgcrypt had Argon2 support.

>
> So, I wonder about how we add Argon2 into libgcrypt.
>
> Now, I looked at this code:
>
> https://github.com/P-H-C/phc-winner-argon2
> CC0 or Apache Public License 2.0
>
> Any ideas?
>

We could use that repo and RFC9106 as starting point and select single-thread
code-path (core.c, ARGON2_NO_THREADS) and reference fill_blocks (src/ref.c) for
initial implementation. Vector instruction set optimization and multi-threading
could be added later (latter would need threading support in gpgrt, I think).

One thing I'm not sure is about is how to introduce Argon2 to KDF interface.
Argon2 has more parameters (degree of parallelism p, memory size m, number of
passes t) than what libgcrypt takes with `gcry_kdf_derive()`, which only takes
`iterations`. So we'd need new interface for Argon2.

-Jussi

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: Argon2 [ In reply to ]
On Wed, 20 Oct 2021 19:49, Jussi Kivilinna said:

> One thing I'm not sure is about is how to introduce Argon2 to KDF interface.
> Argon2 has more parameters (degree of parallelism p, memory size m, number of
> passes t) than what libgcrypt takes with `gcry_kdf_derive()`, which only takes
> `iterations`. So we'd need new interface for Argon2.

Well, we may make use of the SUBALGO and put sveral parameters into
ITERATIONS. This would allow us to add just a a couple of macros and
save the trouble of adding a new interface.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Argon2 [ In reply to ]
On 22.10.2021 19.49, Werner Koch wrote:
> On Wed, 20 Oct 2021 19:49, Jussi Kivilinna said:
>
>> One thing I'm not sure is about is how to introduce Argon2 to KDF interface.
>> Argon2 has more parameters (degree of parallelism p, memory size m, number of
>> passes t) than what libgcrypt takes with `gcry_kdf_derive()`, which only takes
>> `iterations`. So we'd need new interface for Argon2.
>
> Well, we may make use of the SUBALGO and put sveral parameters into
> ITERATIONS. This would allow us to add just a a couple of macros and
> save the trouble of adding a new interface.
>

RFC defines two 32-bit parameters (m and t) and one 24-bit (p). We would
need to use reduced value ranges for these if passed through ITERATIONS.
Large values won't probably have practical use but it would be nice to
support full value ranges. Maybe KEYBUFFER could be used for passing
pointer to Argon2 parameter structure?

-Jussi

>
> Shalom-Salam,
>
> Werner
>


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel