Feature Request: Plans for Argon2

[midirhee12]

First, I love what you guys have done with age. I think this project was completely necessary to save crypto. Thanks for all your hard work.

Second, let's consider the existing KDF:

• scrypt takes more computation due to time/memory tradeoffs
• scrypt is subject to TMTO attacks. So in the case of an attacker not having enough memory, scrypt can be ran on the same input with less memory than required
• scrypt's internal memory and time requirements are joint at the hip. So increasing memory usage then increases process time, and increasing processing time then increases memory usage.

It isn't hard to imagine a server wanting tens of millisecond computation with several MB of memory usage. Or an attacker with simple memory restrictions.

Argon2 was selected as the Password Hashing Competition winner in 2015 to replace scrypt. It came in two varieties and a hybrid of the two:

• Argon2i to resist side-channel attacks
• Argon2d to maximize security against offline attacks
• Argon2id (Argon2i for the first memory pass and Argon2d for subsequent passes) for resisting side-channel attacks and maximize security against offline attacks

Argon2 requires a specific (configurable) amount of memory to run. So if an attacker tries to make unmet memory requirements, it simply will not run. So either the configured memory per brute force thread or more computation is required. So the attacker has to decide whether to trade memory for time requirements.

Correct me if I'm wrong, but considering age seems to prioritize file encryption, offline security should probably be the higher priority. Defending against side-channel attacks could just be for brownie-points. If argon2 is implemented, I'd recommend either the argon2d or the argon2id variant.

This could either be implemented in the next breaking change as an scrypt replacement which might be too aggressive. Or it could be implemented along side scrypt in a non-breaking minor release.

Love from a fellow age user <3