On Sat, Aug 6, 2016 at 11:37 AM, Lauri Kenttä <lauri.ken...@gmail.com> wrote:
> On 2016-08-06 17:47, Charles R. Portwood II wrote: > >> Absolutely. What are your thoughts on the following cost factors? >> >> time_cost = 3 >> memory_cost = 12 >> threads = 1 >> >> The reference library provides a CLI program where these values are >> listed. A memory_cost factor of 12 would be 4 MiB. >> > > Looks like there's already some ambiguity in the parameters. > As I understand it, m_cost is the memory size in kilobytes. > Thus, m_cost = 4096 would be 4 MiB. > The source file you referenced [1] has actually LOG_M_COST_DEF, > where m_cost = 1 << LOG_M_COST_DEF. > > Testing with argon2_cffi [2] (Python) shows that your parameters > (with m_cost = 4096 = 4 MiB) take 57 ms per hash on my laptop > and 14 ms on my VPS, compared to bcrypt cost 10 taking 88 ms. > > Personally, I would be satisfied with even smaller parameters, > maybe something like memory_cost 512, time_cost 2, threads 2. > > Disclaimer: I'm not familiar with Argon2, I only looked shortly > at the source files and the Python library [2]. However, care > should be taken to use the correct definition for m_cost. > > [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/src/run.c#L27 > > > [2] http://argon2-cffi.readthedocs.io/en/stable/parameters.html > > > > -- > Lauri Kenttä > Hi Laura, The confusion is on my part, I apologize. Both this implementation, and the Argon2 reference library use a bitwise shift on the memory cost factor. When I say "12", I'm really meaning "1<<12", which is 4096, or 4 Mib. [1][2]. The RFC itself actually states the bitwise shift in the examples, and for the cost factors represents it in Mib. We can drop the memory cost down lower if people would prefer that. My only concern with setting the default thread count to 2 is that it may cause problems for individuals on single core machines. The PHP implementation performs as follows from the CLI with the following cost factors on one of my VPS'. The time cost for each of the Argon2 implementations in this case is 3, with a thread count of 1. [3] 2 ms : argon2i, 256 KiB > 2 ms : argon2i, 512 KiB > 3 ms : argon2i, 1024 KiB > 17 ms : argon2i, 4096 KiB > 53 ms : argon2i, 16384 KiB 203 ms : argon2i, 65536 KiB Setting the memory cost to 4 MiB, or even 1 MiB are pretty fast in the PHP implementation. I think the following costs would be acceptable to avoid concerns over memory exhaustion. These appear to be the defaults outlined in the reference library's CLItool. memory_cost = 4 MiB, 1<<12 > time_cost = 3 > threads = 1 I think there's a bunch of ways we can tweak this. As there's no "bad" values for any of these cost factors per the spec, it may just be easy to set the costs even lower end user decide if they need to be increased (or increase them in core at a later time). memory_cost = 1 MiB 1<<10 > time_cost = 2 > threads = 1 On Sat, Aug 6, 2016 at 12:08 PM, Tom Worster <f...@thefsb.org> wrote: > OK. I misunderstood what qualifies as "broken". Looks most like most > people want to set default costs right away so I'll leave it here. As for > choosing the right default values for PHP, what are the criteria? Typically a run time of of under 50 ms is the target goal. Argon2 can be tweaked to use a specific amount of memory, time, or CPU cores. Trying to find good default cost factors is problematic since all 3 of those factors are variable on any given machine. *Charles R. Portwood II* [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/src/run.c#L160 [2] https://github.com/php/php-src/pull/1997/files#diff-c902 6333c79da7abe3b1285ef7c0c312R36 [3] https://gist.github.com/charlesportwoodii/3e113a53d243b5a722babfd421a93d c3 [4] https://gist.github.com/charlesportwoodii/ceaa87c9a9adb069b9f2eaddf56ab8 71
