Constants.cs: Reduce the Argon2id memory size to 256 MiB.

And update the specification. See LoupVaillant/Monocypher#274.

With libsodium, 512 MiB and 3 iterations provides a reasonable delay on my desktop and M1 MacBook Air. With Monocypher, the delay is ~1 second on my desktop. However, it's ~10 seconds on an M1 MacBook with Low Power Mode and ~6 seconds without. That's unusably bad. That's even too much delay for disk encryption. Dropping to 256 MiB with 3 iterations will be ~5 seconds with Low Power Mode and ~3 seconds without, which is somewhat acceptable. Multiple iterations is preferable imo.

I went with Monocypher to avoid the vcruntime requirement with libsodium on Windows, which is problematic for portable/self-contained applications. I also wanted to play around with another library. However, this is a good example of where security would be improved by using libsodium due to its superior performance.

README.md

@@ -106,7 +106,7 @@ masterKey = Argon2id(password, salt, memorySize, passes, parallelism)
 - `identity`: the UTF-8 encoding of the `-i, --identity` string (1+ bytes).
 - `password`: the UTF-8 encoding of the `-p, --password` or interactively entered password string, which cannot be empty and is limited to 128 characters, or the bytes stored in the `-f, --password-file` file (1-387 bytes).
 - `salt`: the salt derived above (32 bytes).
-- `memorySize`: 512 MiB.
+- `memorySize`: 256 MiB.
 - `passes`: 3 passes.
 - `parallelism`: 1 lane.
 

src/Cahir/Constants.cs

@@ -16,7 +16,7 @@ public static class Constants
     public const int KeySize = 32;
     public const int SaltSize = 32;
     public const int CRYPTO_ARGON2_ID = 2;
-    public const int Argon2MemorySize = 536870912; // 512 MiB
+    public const int Argon2MemorySize = 268435456; // 256 MiB
     public const int Argon2BlockSize = 1024;
     public const int Argon2Passes = 3;
     public const int Argon2Lanes = 1;