2

I'd like to derive two independent 256 bit keys for symmetric encryption from a user password. I'm using Argon2id as the password-based key derivation function. I'm planning to do the following:

  1. Generate a 256 bit random salt.
  2. Generate a 512 bit tag with Argon2id using the user's password and the salt.
  3. Take the first 256 bits of the 512 bit tag for the first key and the second 256 bits for the second key.

Does this produce two independent keys?

Note: this question answers in the positive for scrypt.

Agost Biro
  • 123
  • 4

1 Answers1

3

Argon2 supports variable-length output, and all the output behaves as independent random bits. You can split the output up in any way you want. Note that the total security is no greater than 512 bits, but this is not a problem and a larger output does not cause the randomness to "stretch" and turn weak.

Using Argon2 to generate a variable-length output is equivalent to generating a single output and feeding it into HKDF to generate multiple keys, or feeding it into a XOF to expand it into more bytes.

See https://en.wikipedia.org/wiki/Argon2#Variable-length_hash_function

forest
  • 15,253
  • 2
  • 48
  • 103
  • So is the correct interpretation of "the total security is no greater than 512 bits, but this is not a problem and a larger output does not cause the randomness to "stretch" and turn weak." that the security of a chunk of the output is minimum(bits_in_chunk, 512) bits? – mtraceur Jun 06 '22 at 18:33
  • 1
    @mtraceur Correct, assuming the input has enough randomness itself. – forest Jun 06 '22 at 20:33