Iteration on current password-based KDF

[cygnusv]

Current password-based KDF in nucypher/py-umbral is excessively slow. This can be due to several factors:

• Election of parameters: Current parameters are typical for file encryption. While this might be OK for Ursulas (which have a high keystore diligence requirement), it's not for Alice. A possibility is to keep similar parameters for Ursula, but reduce them for Alice or other characters.
• Implementation: Some have noted that our current implementation (from cryptography.hazmat.primitives.kdf.scrypt) may be too slow in comparison with others. Investigate other alternative implementations.
• Election of KDF algorithm: @tuxxy has mentioned their interest on Argon2. Investigate what's the performance.

[fjarri]

Note that while this code is currently located in PyUmbral, it is being moved to nucypher proper.

[fjarri]

To give a little more context, that's what I currently have: https://github.com/nucypher/nucypher/pull/2612/files#diff-8e2a0c8bc181f6bf28c5b20fdbf41ecf2852d98c6379585e7102739e68efbfdf

[piotr-roslaniec]

I did some initial benchmarks with other KDF algos:

Name (time in ms)                 Median          
passlib_scrypt_interactive     73.7989 (1.0)
scrypt_interactive             86.0543 (1.17)         
argon2                         162.3339 (2.20)        
pbkdf2_sha512                  180.6715 (2.45)           
bcrypt                         441.1576 (5.98)         
passlib_scrypt_sensitive       5,315.6741 (72.03)             
scrypt_sensitive               7,635.7906 (103.47) 

For Scrypt, "interactive" refers to benchmarks with parameters selected for interactive use (encrypting passwords; Alice) and "sensitive" to benchmarks with parameters selected for working with sensitive payloads (encrypting files; Ursula).
For other algorithms, parameters have been set to values recommended for interactive use or left at defaults where sensible.

Findings:

• We can reduce "work cost" in Scrypt parameters to speed up interactive use.
• Passlib Scrypt is faster than cryptography Scrypt.
• There are a number of other algos we could use: Argon2di looks especially interesting because it is both memory-hard and secure against side-channel attacks.
• For interactive use, IMHO we should select parameters that result in a 250ms-400ms delay of KDF.

[fjarri]

encrypting files; Ursula

Meaning that would replace the current KDF in Umbral?

[piotr-roslaniec]

@fjarri Yes, but this is open for discussion.