<div dir="ltr">Hi!<div><br></div><div>not sure to get the question, I think that if you want to evaluate the risk against "high-budget" adversaries, you must consider the following parameters:</div><div>- the estimated budget and time of your adversary</div><div>- the value of the asset targeted</div><div>- the strength of the password</div><div>- the Argon2 parameters</div><div><br></div><div>In LUKS2 you can afford strong Argon2 parameters, such as the ones you suggest. If you use a strong passphrase (say of entropy greater than 50) you'll defeat any realistic attacker :)</div><div><br></div><div>It's difficult to realistically estimate the strength/entropy added by the Argon2 parameters, because hardness depends not only on the iterations count but also on the cost of memory accesses, which depend on the hardware. I think that one most qualified person to answer this question is Solar Designer.</div><div><br></div><div>Hope this helps!</div><div><br></div><div>Cheers,</div><div><br></div><div>JP</div><div> </div><br><div class="gmail_quote"><div dir="ltr">On Thu, Sep 20, 2018 at 7:14 AM procmem <<a href="mailto:procmem@riseup.net" target="_blank">procmem@riseup.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi JP,<br>
<br>
I was wondering about how to accurately calculate the security margin of<br>
argon2id against nation-state adversaries with a lot of computing power<br>
(of every type). The hashing implementation is the one included in<br>
Debian (as of Buster) LUKS2 with AES-256 XTS.<br>
<br>
I've been trying to find an answer to this question by reading through<br>
the literature on argon2 with no success. Many people say it's hard so a<br>
non-cryptographer like me stands no chance understanding this. I asked<br>
Steve Thomas and he gave me the estimate quoted below but he advised me<br>
to ask you. Can you please share an equation and show me how to plug in<br>
the numbers to calculate the entropy added?<br>
<br>
Steve:<br>
"2^27 < entropy < 2^35" for Argon2id m=1GiB, i=50, p=4.<br>
<br>
***<br>
<br>
*I saw somehwere that increasing CPU cost lessens the effectiveness of<br>
memory cost and vice versa, is this how it works?<br>
<br>
Thanks in advance.<br>
<br>
<br>
cc/ our ML so our users can benefit from your answer.<br>
</blockquote></div></div>