Skip to content

Add Support for Argon2d and Argon2i Variants #13715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Nov 3, 2025
+529 −103
Merged

Add Support for Argon2d and Argon2i Variants #13715

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
22e8fd7
Adding test vectors for argon2d and argon2i variants
greateggsgreg Oct 20, 2025
ab5adc8
Initial support backend for Argon2d and Argon2i variants
greateggsgreg Oct 20, 2025
23f862b
Updating pytests to cover Argon2d and Argon2i variants
greateggsgreg Oct 20, 2025
ecf0f2a
- Modify type hints to support py3.8
greateggsgreg Oct 20, 2025
673c834
Updating docs for Argon2 family
greateggsgreg Oct 20, 2025
1f6e1e5
Correcting typos
greateggsgreg Oct 20, 2025
07dd7a5
Rename base attribute and remove "allow(unused)" tag
greateggsgreg Oct 22, 2025
2e22a14
Merge remote-tracking branch 'github/main' into feature/additional_ar…
greateggsgreg Oct 23, 2025
fe97b62
Correct "versionadded" docstring for Argon2d and Argon2i
greateggsgreg Nov 3, 2025
e88dd94
Update error message to include helpful hint when using wrong Argon2 …
greateggsgreg Nov 3, 2025
ec07276
Merge remote-tracking branch 'github/main' into feature/additional_ar…
greateggsgreg Nov 3, 2025
c3f4297
Update unit tests to exercise all Argon2 variants for derive_into
greateggsgreg Nov 3, 2025
2bd835b
Removing empty spacing to appease ruff
greateggsgreg Nov 3, 2025
c0b0b61
Add derive_into interface definitions for additional Argon2 variants
greateggsgreg Nov 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions docs/hazmat/primitives/key-derivation-functions.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,36 @@ Different KDFs are suitable for different tasks such as:
Variable cost algorithms
~~~~~~~~~~~~~~~~~~~~~~~~

Argon2id
--------
Argon2 Family
-------------

.. currentmodule:: cryptography.hazmat.primitives.kdf.argon2

The Argon2 family of key derivation functions are designed for password storage and is described in :rfc:`9106`.
It consists of three variants that differ only how they access an internal memory buffer, which leads to different
trade-offs in resistance to hardware attacks.

Each of the classes constructors and parameters are the same; only details of Argon2id are defined before, for brevity.

.. class:: Argon2d(*, salt, length, iterations, lanes, memory_cost, ad=None, secret=None)

.. versionadded:: 46.0.4

This variant of the Argon2 family maximizes resistance to time-memory-trade-off attacks, but introduces possible side-channels


.. class:: Argon2i(*, salt, length, iterations, lanes, memory_cost, ad=None, secret=None)

.. versionadded:: 46.0.4

This variant of the Argon2 family resists side-channel attacks, but is vulnerable to time-memory-trade-off attacks


.. class:: Argon2id(*, salt, length, iterations, lanes, memory_cost, ad=None, secret=None)

.. versionadded:: 44.0.0

Argon2id is a KDF designed for password storage. It is designed to be
resistant to hardware attacks and is described in :rfc:`9106`.
Argon2id is a blend of the previous two variants. Argon2id should be used by most users, as recommended in :rfc:`9106`.

This class conforms to the
:class:`~cryptography.hazmat.primitives.kdf.KeyDerivationFunction`
Expand Down
40 changes: 40 additions & 0 deletions src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,46 @@ class Scrypt:
def derive(self, key_material: Buffer) -> bytes: ...
def verify(self, key_material: bytes, expected_key: bytes) -> None: ...

class Argon2d:
def __init__(
self,
*,
salt: bytes,
length: int,
iterations: int,
lanes: int,
memory_cost: int,
ad: bytes | None = None,
secret: bytes | None = None,
) -> None: ...
def derive(self, key_material: bytes) -> bytes: ...
def verify(self, key_material: bytes, expected_key: bytes) -> None: ...
def derive_phc_encoded(self, key_material: bytes) -> str: ...
@classmethod
def verify_phc_encoded(
cls, key_material: bytes, phc_encoded: str, secret: bytes | None = None
) -> None: ...

class Argon2i:
def __init__(
self,
*,
salt: bytes,
length: int,
iterations: int,
lanes: int,
memory_cost: int,
ad: bytes | None = None,
secret: bytes | None = None,
) -> None: ...
def derive(self, key_material: bytes) -> bytes: ...
def verify(self, key_material: bytes, expected_key: bytes) -> None: ...
def derive_phc_encoded(self, key_material: bytes) -> str: ...
@classmethod
def verify_phc_encoded(
cls, key_material: bytes, phc_encoded: str, secret: bytes | None = None
) -> None: ...

class Argon2id:
def __init__(
self,
Expand Down
6 changes: 5 additions & 1 deletion src/cryptography/hazmat/primitives/kdf/argon2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@
from cryptography.hazmat.bindings._rust import openssl as rust_openssl
from cryptography.hazmat.primitives.kdf import KeyDerivationFunction

Argon2d = rust_openssl.kdf.Argon2d
Argon2i = rust_openssl.kdf.Argon2i
Argon2id = rust_openssl.kdf.Argon2id
KeyDerivationFunction.register(Argon2d)
KeyDerivationFunction.register(Argon2i)
KeyDerivationFunction.register(Argon2id)

__all__ = ["Argon2id"]
__all__ = ["Argon2d", "Argon2i", "Argon2id"]
Loading