6

Argon2 by design is memory hungry. In the semi-official Go implementation, the following parameters are recommended when using IDKey:

key := argon2.IDKey([]byte("some password"), salt, 1, 64*1024, 4, 32)

where 1 is the time parameter and 64*1024 is the memory parameter. This means the library will create a 64MB buffer when hashing a value. In scenarios where many hashing procedures might run at the same time this creates high pressure on the host memory.

In cases where this is too much memory consumption it is advised to decrease the memory parameter and increase the time factor:

The draft RFC recommends[2] time=1, and memory=64*1024 is a sensible number. If using that amount of memory (64 MB) is not possible in some contexts then the time parameter can be increased to compensate.

So, assuming I would like to limit memory consumption to 16MB (1/4 of the recommended 64MB), it is still unclear to me how I should be adjusting the time parameter: is this supposed to be times 4 so that the product of memory and time stays the same? Or is there some other logic behind the correlation of time and memory at play?

m90
  • 11,434
  • 13
  • 62
  • 112
  • 1
    have you read https://password-hashing.net/argon2-specs.pdf ? `6.4 User-controlled parameters`: `NumberTof passes over the memory. The running time depends linearly on this parameter. We expectthat the user chooses this number according to the time constraints on the application. Again, there isno ”insecure value” forT.` T will define the strength of the hashing. Increasing M improves protection against sca https://en.wikipedia.org/wiki/Side-channel_attack –  Jul 13 '20 at 08:15
  • you are free to put any value there. You will be constrained by the spec of your requirements and the capacity of your system. –  Jul 13 '20 at 08:17
  • 2
    It is best not to overthink this. Your time and memory parameters should already be tuned to represent the most work/memory per password that you can sacrifice. Argon2 is a *mitigation* for poor passwords, not a cure. – President James K. Polk Jul 14 '20 at 14:32

2 Answers2

1

The draft RFC recommends[2] time=1, and memory=64*1024 is a sensible number. If using that amount of memory (64 MB) is not possible in some contexts then the time parameter can be increased to compensate.

I think the key here is the word "to compensate", so in this context it is trying to say: to achieve similar hashing complexity as IDKey([]byte("some password"), salt, 1, 64*1024, 4, 32), you can try IDKey([]byte("some password"), salt, 4, 16*1024, 4, 32).
But if you want to decrease hashing result complexity (and decreasing performance overhead), you can decrease the size of memory uint32 disregarding the time parameter.

is this supposed to be times 4 so that the product of memory and time stays the same?

I dont think so, i believe the memory here means the length of result hash, but time parameter could mean "how many times the hashing result needs to be re-hash-ed until i get the end result".

So these 2 parameters are independent of each other. These are just controlling how much "brute- force cost savings due to time-memory tradeoffs" you want to achieve

Nikko Khresna
  • 1,024
  • 8
  • 10
1

Difficulty is roughly equal to time_cost * memory_cost (and possibly / parallelism). So if you 0.25x the memory cost, you should 4x the time cost. See also this answer.

// The time parameter specifies the number of passes over the memory and the
// memory parameter specifies the size of the memory in KiB.

Check out the Argon2 API itself. I'm going to cross-reference a little bit and use the argon2-cffi documentation. It looks like the go interface uses the C-FFI (foreign function interface) under the hood, so the protoype should be the same.

Parameters
time_cost (int) – Defines the amount of computation realized and therefore the execution time, given in number of iterations.

memory_cost (int) – Defines the memory usage, given in kibibytes.

parallelism (int) – Defines the number of parallel threads (changes the resulting hash value).

hash_len (int) – Length of the hash in bytes.

salt_len (int) – Length of random salt to be generated for each password.

encoding (str) – The Argon2 C library expects bytes. So if hash() or verify() are passed an unicode string, it will be encoded using this encoding.

type (Type) – Argon2 type to use. Only change for interoperability with legacy systems.

Indeed, if we look at the Go docs:

// The draft RFC recommends[2] time=1, and memory=64*1024 is a sensible number.
// If using that amount of memory (64 MB) is not possible in some contexts then
// the time parameter can be increased to compensate.
//
// The time parameter specifies the number of passes over the memory and the
// memory parameter specifies the size of the memory in KiB. For example
// memory=64*1024 sets the memory cost to ~64 MB. The number of threads can be
// adjusted to the numbers of available CPUs. The cost parameters should be
// increased as memory latency and CPU parallelism increases. Remember to get a
// good random salt.

I'm not 100% clear on the impact of thread count, but I believe it does parallelize the hashing, and like any multithreaded job, this reduces the total amount of time taken by approximately 1/N, for N cores. Apparently, you should essentially set the parallelism to cpu count.

DeusXMachina
  • 1,239
  • 1
  • 18
  • 26