Argon2

Jussi Kivilinna jussi.kivilinna at iki.fi
Wed Oct 20 18:49:35 CEST 2021


Hello,

On 15.10.2021 11.09, NIIBE Yutaka wrote:
> Hello,
> 
> Jussi, if you have any idea about implementing Argon2 in libgcrypt,
> please let us know.
> 
> Let me explain the background of mine.
> 
> Use of Argon2 in OpenPGP message were discussed sometimes.
> 
>     - 2015-10-18 about Argon2i:
>     https://mailarchive.ietf.org/arch/browse/openpgp/?gbt=1&index=IORjkQR17EURj9HQaKCqoQ2TKkI
> 
>     - These days: Proposed change including S2K with Argon2id:
>     https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/72/diffs
> 
> For GnuPG, it's not that important, I suppose.  Probably, we won't use.
> Perhaps, at maximum, it will be (only) for interoperability to other
> OpenPGP implementation exchanging secret keys.
> 
> For libgcrypt, on the other hand, I think that it's good if we support
> Argon2 as crypto library.  When KDF supports Argon2, it's good.
> 

Yes, it would be nice if libgcrypt had Argon2 support.

> 
> So, I wonder about how we add Argon2 into libgcrypt.
> 
> Now, I looked at this code:
> 
>     https://github.com/P-H-C/phc-winner-argon2
>     CC0 or Apache Public License 2.0
> 
> Any ideas?
> 

We could use that repo and RFC9106 as starting point and select single-thread
code-path (core.c, ARGON2_NO_THREADS) and reference fill_blocks (src/ref.c) for
initial implementation. Vector instruction set optimization and multi-threading
could be added later (latter would need threading support in gpgrt, I think).

One thing I'm not sure is about is how to introduce Argon2 to KDF interface.
Argon2 has more parameters (degree of parallelism p, memory size m, number of
passes t) than what libgcrypt takes with `gcry_kdf_derive()`, which only takes
`iterations`. So we'd need new interface for Argon2.

-Jussi



More information about the Gcrypt-devel mailing list