Score:2

Argon2 allows a huge key length in input, but does it really provide the security of the key provided?

pf flag

I read the Argon2 specification.

It says in 3.1 (Page #5):

Secret value K (serves as key if necessary, but we do not assume any key use by default) may have any length from $0$ to $2^{32}\text{-}1$ bytes.

Let's suppose I want to convert Argon2 into a block encipherment, I provide an 8192-bit key (1024 bytes) and provide a counter to each block generated and so, XOR the hashed blocks in the ciphertext.

Will this encryption scheme have its security according to the key length? Will I have 8192-bits of encryption strength?

I'm asking this because Argon2 uses Blake2b which has 512-bits of state size and its security is capped to this limit.

Maarten Bodewes avatar
in flag
Interesting question. The Blake2b 512 bits state will probably influence the security level, but as Argon2 can be configured to be memory hard, it's actual state can be larger than that. SHA-256 consists of 32 bit operations, but it's state is certainly higher than that. I'm not sure if Argon2 can do something similar. Of course, any security size higher than 256 bit is already pretty meaningless, so in practice it won't matter much.
Score:5
in flag

Will this encryption scheme have its security according to the key length? Will I have 8192-bits of encryption strength?

No, the security is limited with

$$security = min\{\text{Argon2 input_size}\;, \;\text{Hash digest size}\}$$ In your case with BLAKE2-512, it is 512-bit security not 8192.

The reason is clear. Argon2 returns return Hash(C, tagLength) (variable-length hash function) or see from Argon2 paper page 6 *

                   enter image description here

And if BLAKE2 is used then the first 64 byte is the output of the BLAKE2. If the output requirement is > 64 bytes, then the remaining bytes are derived from the output of the previous BLAKE2 calls.

   V1 ← Blake2b(digestSize ∥ FinalBlock, 64);
   Subsequent blocks are generated from previous blocks
   for i ← 2 to r do
      Vi ← Blake2b(Vi-1, 64) 
   Lower 32 bytes of Vi is returned.

Therefore one cannot have security larger than the hash digest size and this should be enough for even post-quantum adversaries.

And, 256-bit security is enough for everybody. Argon2 is designed for Password hashing, although one can use this for CTR mode, still prefer the xChaCha20-Poly1305 to get confidentiality, integrity, and authentication. This is much faster than Argon2 for encryption. The xChaCha20 is the extension of ChaCha20 with 192-bit nonces that enables random nonces without fear of nonce reuse problem of the CTR mode.


* The default output only outputs single hash. This enables Client Independent Update is a functional requirement of the password hashing competition.

kelalaka avatar
in flag
Err, downvoter, what is the reason? What is not correct here?
phantomcraft avatar
pf flag
Great answer. Thank you @kelalaka
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.