Discuss peppers on the Argon2i manual

[LoupVaillant]

The Argon2i manual currently says that the "additional data" likely has no practical application.

That's most probably false, actually: we have this thing called "pepper", where there's a database-wide secret that we hope is separate enough from it that they won't automatically be leaked at the same time. This additional data may be handy to add the pepper.

We may want to update the manual accordingly.

[fscoto]

Please allow me to apologize for the slow response. It's rare to get a day that I'm at enough mental capacity to actually think things through and do the necessary digging.

---

We've had and talked about this idea in https://github.com/LoupVaillant/Monocypher/issues/18#issuecomment-323564626 already. We've noted this for the key argument. If you want to specifically name drop it, add "(commonly referred to as pepper)" on line 222 before the period, I suppose. In that sense, ad still remains without a designated purpose.

[LoupVaillant]

Oh yes, I missed it because the manual as it stands does not use the word "pepper". Now that I think of it though, I'm not sure the meaning of the term is established enough that we can use this word. If I recall correctly, there was at least 2 kinds of pepper: an additional input to a password key derivation scheme, or an encryption key that must be used to decrypt the database entry before we use password key derivation.

That, and name dropping "pepper" would sound a bit awkward. The manual is fine as it is, let's not change it. Thanks for the feedback @fscoto.

[samuel-lucas6]

That's my bad for somehow forgetting the key parameter. I would argue you could use the word pepper though since it's well used enough to have a Wikipedia page. That or 'secret salt', as mentioned in the HKDF RFC.

[LoupVaillant]

No problem, it was a more than adequate price to pay for all the proofreading. I’ll note that "pepper" is established enough to be used.

If I find (or if someone proposes) a good way to name drop "pepper" or "secret salt" it in a way that reads well, I’ll update the manual. Until then, I think what we have is good enough.