[Whonix-devel] Argon2id Security Margin Calculation

procmem procmem at riseup.net
Sat Sep 22 17:29:00 CEST 2018

Hi Alex, Whonix dev here (Debian based anonymity distro). Our main
target userbase are journalists and whistle-blowers. We are updating our
password documentation page to account for a post-quantum world.

Best practice says to use a diceware passphrase that has equivalent
entropy to the master-key. Since Grovers cuts down passphrase strength
by half then a 256-bit diceware phrase is needed for future-proofing but
that becomes unwieldly as 20 words are necessary. The only realistic
option is to use keystretching to make passphrase length manageable.

I was looking for advice on how to accurately calculate the security
margin of argon2id against nation-state adversaries with a lot of
computing power (of every type). The hashing implementation is the one
included in Debian (as of Buster) LUKS2 with AES-256 XTS.

I've been trying to find an answer to this question by reading through
the literature on argon2 with no success. Many people say it's hard so a
non-cryptographer like me stands no chance understanding this. I asked
JP Aumasson and he recommended I talk to you. Steve Thomas gave me the
estimate quoted below but he also advised me to ask you.

Can you please share an equation and show me how to plug in the numbers
to calculate the entropy added when any of the parameters are changed?

 "2^27 < entropy < 2^35" for Argon2id m=1GiB, i=50, p=4.


*I saw somehwere that increasing CPU cost lessens the effectiveness of
memory cost and vice versa, is this how it works?


CC'ing our ML so our users can benefit from your answer.

More information about the Whonix-devel mailing list