On Mon, Aug 20, 2018 at 15:33:00 CEST, procmem wrote: > Hi Milan, Whonix (privacy distro) maintainer here. We are researching > the best password advice to give to our users and while diceware is a > great improvement over the status quo, the recommendation by > cryptographers in light of quantum computing is to choose pass phrases > with a length equivalent to 256 bits because Grovers will halve the bit > length. This requires phrases to be 20 words long for 256 bits which is > excessive IMO and the reason we are looking at key-stretching for > shorter ones instead. This is completely irrelevant for key derivation. No QC will be able to do a few 1000 iterations of KDF this century, and actually it would need to reverse them. Also, the size of the QC needed is not the password-size, but the minimal memory needed to compute the KDF on it. So with something like Argon2, the QC would need as many bits as the configured memory. In addition, it is still completely unclear whether QC will ever scale. There is no indication that it will after now something like 40 years of intense research. This is just another hype that will not die because too many people believe in magic and normal computing has effectively stopped scaling half a decade back or so. Well, actually, it is pretty clear at this time that QC does not scale at all in practice and that its scale-up over time may well be inverse exponential. If so, it will never be of any use. > > * What is the time/sec margin added to a password with Argon2id's best > parameters? There are no "best" parameters. It depends on your application and target system. That said, computationally, it is bascially just the same as PBKDF2, ARGON2 just adds a minimal memory requirements or you get exponentially worse. > * Have Argon's parameters been tweaked in the LUKS implementation, to > account for the 2 public attacks? [0] Forget about these. These are academic attacks with no practical impact. KDFs like Argon2 have massive redundancy security-wise, unlike most ciphers. > * Are more cryptanalytic attacks expected against it in the future or is > it extremely unlikely for progress against to be made? (For example > modern hashes like BLAKE2 or block ciphers like AES are pretty robust > with no notable attacks for some time) This question is nonsense. Are you asking us to read the tea-leaves? Just keep in mind that with a good passphrase, even a single, plain, unsalted SHA-1 is unbroken at this time and even secure against the mythical extreme powers (not) of a QC. There is really no need to fret over key derivation, the weaknesses are in entirely different places. Regards, Arno > * Can you please give an example of cryptsetup re-encrypt command that > upgrades an existing LUKS1 system to one that uses Argon with its max > settings? > > > CC/d our ML so users can benefit from your reply. > > > [0] https://en.wikipedia.org/wiki/Argon2#Cryptanalysis > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
