Argon2id

Argon2id is a memory-hard key derivation function designed to resist both time-memory trade-off attacks and side-channel attacks. It was selected as the winner of the Password Hashing Competition (PHC) in 2015 and is defined in RFC 9106. VeraCrypt supports Argon2id as an alternative to PBKDF2-HMAC for header key derivation.

Key Features

Memory-hard: Requires a configurable amount of memory, making it resistant to specialized hardware attacks
Side-channel resistant: Combines data-dependent and data-independent memory access patterns
Internal hash function: Uses BLAKE2b internally, eliminating the need for separate hash algorithm selection
Tunable parameters: Allows adjustment of memory cost, time cost, and parallelism

Argon2 Variants

Argon2 has three variants:

Argon2d: Uses data-dependent memory access, resistant to time-memory trade-off attacks but vulnerable to side-channel attacks
Argon2i: Uses data-independent memory access, resistant to side-channel attacks but more vulnerable to time-memory trade-off attacks
Argon2id: Hybrid approach that combines both variants, providing resistance to both attack types (used by VeraCrypt)

Parameters in VeraCrypt

VeraCrypt uses Argon2id with the following parameter configuration:

Memory Cost (m_cost)

The amount of memory used during the key derivation process, controlled by the PIM value:

Formula: m_cost(pim) = min(64 MiB + (pim - 1) × 32 MiB, 1024 MiB)
Range: 64 MiB to 1024 MiB (capped at PIM = 31)
Default: 96 MiB (equivalent to PIM = 2)

Time Cost (t_cost)

The number of iterations performed during the key derivation process:

For PIM ≤ 31: t_cost(pim) = 3 + floor((pim - 1) / 3)
For PIM > 31: t_cost(pim) = 13 + (pim - 31)
Default: 3 iterations (equivalent to PIM = 2)

Parallelism

The number of parallel threads used during computation:

Value: Fixed at 1 thread for all cases in VeraCrypt
Rationale: Ensures consistent behavior across different hardware configurations

Advantages over PBKDF2

Memory hardness: Requires significant memory allocation, making GPU and ASIC attacks more expensive
Modern design: Specifically designed to resist contemporary attack methods
Side-channel resistance: Built-in protections against cache-timing and other side-channel attacks
Standardization: Officially standardized in RFC 9106

Usage Considerations

When using Argon2id in VeraCrypt:

Memory requirements: Ensure sufficient RAM is available, especially with higher PIM values
Performance: Higher memory costs may result in slower mounting times but provide better security
Compatibility: Available in VeraCrypt versions that support multiple key derivation functions
No hash selection: Unlike PBKDF2-HMAC, no separate hash algorithm needs to be chosen

Technical Specifications

Algorithm: Argon2id as defined in RFC 9106
Internal hash: BLAKE2b
Salt size: 512 bits (same as PBKDF2-HMAC)
Output length: Variable, depending on the encryption algorithm (e.g., 256 bits for AES-256, 768 bits for AES-Twofish-Serpent cascade)
Version: Argon2 version 0x13 (19 decimal)

For more information about PIM values and their effect on Argon2id parameters, see the Personal Iterations Multiplier (PIM) section.