Re: [dm-crypt] Argon2id security margin estimate and LUKS2 usage

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Cc: whonix-devel@whonix.org
Subject: Re: [dm-crypt] Argon2id security margin estimate and LUKS2 usage
Date: Mon, 20 Aug 2018 20:46:45 +0200	[thread overview]
Message-ID: <20180820184644.GA19629@tansi.org> (raw)
In-Reply-To: <665e5ad2-37ec-19d8-a823-25f828276c6f@riseup.net>

On Mon, Aug 20, 2018 at 15:33:00 CEST, procmem wrote:
> Hi Milan, Whonix (privacy distro) maintainer here. We are researching
> the best password advice to give to our users and while diceware is a
> great improvement over the status quo, the recommendation by
> cryptographers in light of quantum computing is to choose pass phrases
> with a length equivalent to 256 bits because Grovers will halve the bit
> length. This requires phrases to be 20 words long for 256 bits which is
> excessive IMO and the reason we are looking at key-stretching for
> shorter ones instead.

This is completely irrelevant for key derivation. No QC
will be able to do a few 1000 iterations of KDF this century,
and actually it would need to reverse them. Also, the size of
the QC needed is not the password-size, but the minimal memory
needed to compute the KDF on it. So with something like 
Argon2, the QC would need as many bits as the configured memory.

In addition, it is still completely unclear whether QC will 
ever scale. There is no indication that it will after now 
something like 40 years of intense research. This is just another
hype that will not die because too many people believe in magic
and normal computing has effectively stopped scaling half a 
decade back or so.

Well, actually, it is pretty clear at this time that QC does
not scale at all in practice and that its scale-up over time 
may well be inverse exponential. If so, it will never be of any use.

> 
> * What is the time/sec margin added to a password with Argon2id's best
> parameters?

There are no "best" parameters. It depends on your application and
target system. That said, computationally, it is bascially just 
the same as PBKDF2, ARGON2 just adds a minimal memory requirements 
or you get exponentially worse.

> * Have Argon's parameters been tweaked in the LUKS implementation, to
> account for the 2 public attacks? [0]

Forget about these. These are academic attacks with no practical
impact. KDFs like Argon2 have massive redundancy security-wise,
unlike most ciphers.

> * Are more cryptanalytic attacks expected against it in the future or is
> it extremely unlikely for progress against to be made? (For example
> modern hashes like BLAKE2 or block ciphers like AES are pretty robust
> with no notable attacks for some time)

This question is nonsense. Are you asking us to read the tea-leaves?

Just keep in mind that with a good passphrase, even a single, plain,
unsalted SHA-1 is unbroken at this time and even secure against the
mythical extreme powers (not) of a QC. There is really no need to 
fret over key derivation, the weaknesses are in entirely different 
places.

Regards,
Arno

> * Can you please give an example of cryptsetup re-encrypt command that
> upgrades an existing LUKS1 system to one that uses Argon with its max
> settings?
> 
> 
> CC/d our ML so users can benefit from your reply.
> 
> 
> [0] https://en.wikipedia.org/wiki/Argon2#Cryptanalysis
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier