docs: clarify Argon2id and BLAKE2b-512 KDF usage

Document BLAKE2b-512 and Argon2id usage in the HTML/CHM user guide and Russian/Chinese translations. Clarify Argon2id's non-system scope, PBKDF2-HMAC system encryption behavior, PIM parameters, and regenerate the CHM files.
2026-06-17 18:16:07 -05:00 · 2026-06-14 11:24:11 +09:00
parent c8a2b89044
commit a751e75588
46 changed files with 1088 additions and 143 deletions
@@ -36,7 +36,7 @@
 <div class="wikidoc">
 <h1>Argon2id</h1>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-Argon2id is a memory-hard key derivation function designed to resist both time-memory trade-off attacks and side-channel attacks. It was selected as the winner of the Password Hashing Competition (PHC) in 2015 and is defined in RFC 9106. VeraCrypt supports Argon2id as an alternative to PBKDF2-HMAC for header key derivation.
+Argon2id is a memory-hard key derivation function designed to resist both time-memory trade-off attacks and side-channel attacks. It was selected as the winner of the Password Hashing Competition (PHC) in 2015 and is defined in RFC 9106. VeraCrypt supports Argon2id as an alternative to PBKDF2-HMAC for non-system volume header key derivation.
 </div>

 <h3>Key Features</h3>
@@ -48,7 +48,7 @@ Argon2id is a memory-hard key derivation function designed to resist both time-m
 <strong>Side-channel resistant:</strong> Combines data-dependent and data-independent memory access patterns
 </li>
 <li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
-<strong>Internal hash function:</strong> Uses BLAKE2b internally, eliminating the need for separate hash algorithm selection
+<strong>Internal hash function:</strong> Uses <a href="BLAKE2b-512.html" style="color:#0080c0; text-decoration:none">BLAKE2b-512</a> internally, eliminating the need for separate hash algorithm selection
 </li>
 <li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
 <strong>Tunable parameters:</strong> Allows adjustment of memory cost, time cost, and parallelism
@@ -159,7 +159,7 @@ When using Argon2id in VeraCrypt:
 <h3>Technical Specifications</h3>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
 <strong>Algorithm:</strong> Argon2id as defined in RFC 9106<br/>
-<strong>Internal hash:</strong> BLAKE2b<br/>
+<strong>Internal hash:</strong> <a href="BLAKE2b-512.html" style="color:#0080c0; text-decoration:none">BLAKE2b-512</a><br/>
 <strong>Salt size:</strong> 512 bits (same as PBKDF2-HMAC)<br/>
 <strong>Header KDF output length:</strong> Fixed at 1536 bits (192 bytes) for the current VeraCrypt format. The required prefix is used for the selected encryption algorithm (for example, the first 64 bytes for AES (AES-256-XTS)). Third-party implementations must request 192 bytes from Argon2id before selecting the required prefix; requesting only the selected algorithm's key material length produces a different Argon2id output.<br/>
 <strong>Version:</strong> Argon2 version 0x13 (19 decimal)
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
+<meta name="keywords" content="encryption, security"/>
+<link href="styles.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+
+<div>
+<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
+</div>
+
+<div id="menu">
+	<ul>
+	  <li><a href="Home.html">Home</a></li>
+	  <li><a href="Code.html">Source Code</a></li>
+	  <li><a href="Downloads.html">Downloads</a></li>
+	  <li><a class="active" href="Documentation.html">Documentation</a></li>
+	  <li><a href="Donation.html">Donate</a></li>
+	  <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
+	</ul>
+</div>
+
+<div>
+<p>
+<a href="Documentation.html">Documentation</a>
+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
+<a href="Hash%20Algorithms.html">Hash Algorithms</a>
+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
+<a href="BLAKE2b-512.html">BLAKE2b-512</a>
+</p></div>
+
+<div class="wikidoc">
+<h1>BLAKE2b-512</h1>
+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
+<p>
+BLAKE2b is the 64-bit-word variant of BLAKE2 and the successor of BLAKE-512. BLAKE2b and BLAKE2s are specified in RFC 7693.
+</p>
+<p>
+VeraCrypt uses BLAKE2b with its maximum output size of 64 bytes (512 bits) internally in <a href="Argon2id.html" style="text-align:left; color:#0080c0; text-decoration:none">Argon2id</a>. For non-system volume header key derivation, BLAKE2b-512 is reached by selecting the Argon2 key derivation algorithm in VeraCrypt; this corresponds to Argon2id internally. In hash-oriented contexts such as random pool mixing and keyfile generation, the same underlying hash may be displayed as BLAKE2b-512.
+</p>
+<p>
+BLAKE2b-512 is not offered as a separate PBKDF2-HMAC hash algorithm. To use BLAKE2b-512 in VeraCrypt non-system volume header key derivation, select <a href="Argon2id.html" style="text-align:left; color:#0080c0; text-decoration:none">Argon2id</a>; no separate hash algorithm selection is available for Argon2id.
+</p>
+</div>
+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
+<a href="SHA-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold">Next Section &gt;&gt;</a></div>
+</div><div class="ClearBoth"></div></body></html>
@@ -42,9 +42,9 @@ BLAKE2 removes addition of constants to message words from BLAKE round function,
 BLAKE2b and BLAKE2s are specified in RFC 7693.
 </p>
 <p>
-VeraCrypt uses only BLAKE2s with its maximum output size of 32-bytes (256 bits).
+VeraCrypt uses BLAKE2s with its maximum output size of 32 bytes (256 bits) as a PBKDF2-HMAC hash algorithm. For Argon2id, VeraCrypt uses <a href="BLAKE2b-512.html" style="text-align:left; color:#0080c0; text-decoration:none">BLAKE2b-512</a> internally.
 </p>
 </div>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-<a href="SHA-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold">Next Section &gt;&gt;</a></div>
+<a href="BLAKE2b-512.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold">Next Section &gt;&gt;</a></div>
 </div><div class="ClearBoth"></div></body></html>
@@ -49,8 +49,8 @@
 </tr>
 <tr>
 <td><em>/hash</em></td>
-<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s and blake2s-256. When /hash is omitted, VeraCrypt will try
- all possible PRF algorithms thus lengthening the mount operation time.</td>
+<td>It must be followed by a parameter indicating the PRF hash algorithm or KDF to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s, blake2s-256, streebog, and blake2b-512 (for Argon2id volumes). When /hash is omitted, VeraCrypt will try
+ all possible PRF/KDF algorithms thus lengthening the mount operation time.</td>
 </tr>
 <tr>
 <td id="volume"><em>/volume</em> or <em>/v</em></td>
@@ -252,7 +252,7 @@ It must be followed by a parameter indicating the PIN to use in order to authent
 <tr>
 <td>&nbsp;<em>/hash</em></td>
 <td>(Only with /create)<br>
-It must be followed by a parameter indicating the PRF hash algorithm to use when creating the volume. It has the same syntax as VeraCrypt.exe.</td>
+It must be followed by a parameter indicating the PRF hash algorithm or KDF to use when creating the volume. It has the same syntax as VeraCrypt.exe, and also accepts argon2 as an alias for Argon2id.</td>
 </tr>
 <tr>
 <td>/encryption</td>
@@ -324,9 +324,9 @@ If it is followed by <strong>n</strong> or <strong>no</strong>: the password dia
 </tbody>
 </table>
 <h4>Syntax</h4>
-<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |blake2s|blake2s-256}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
+<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256|streebog|blake2b-512}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
 [/p password] [/pim pimvalue] [/q [background|preferences]] [/s] [/tokenlib path] [/v volume] [/w]</p>
-<p>&quot;VeraCrypt Format.exe&quot; [/n] [/create] [/size number[{K|M|G|T}]] [/p password]&nbsp; [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia)))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256}]
+<p>&quot;VeraCrypt Format.exe&quot; [/n] [/create] [/size number[{K|M|G|T}]] [/p password]&nbsp; [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia)))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256|streebog|blake2b-512|argon2}]
 [/filesystem {None|FAT|NTFS|ExFAT|ReFS}] [/dynamic] [/force] [/silent] [/noisocheck] [FastCreateFile] [/quick]</p>
 <p>Note that the order in which options are specified does not matter.</p>
 <h4>Examples</h4>
@@ -82,6 +82,7 @@
 </li><li><strong><a href="Hash%20Algorithms.html">Hash Algorithms</a></strong>
 <ul>
 <li><a href="BLAKE2s-256.html">BLAKE2s-256</a>
+</li><li><a href="BLAKE2b-512.html">BLAKE2b-512</a>
 </li><li><a href="SHA-256.html">SHA-256</a> </li><li><a href="SHA-512.html">SHA-512</a> </li><li><a href="Whirlpool.html">Whirlpool</a>
 </li><li><a href="Streebog.html">Streebog</a></li></ul>
 </li><li><strong><a href="Key%20Derivation%20Algorithms.html">Key Derivation Algorithms</a></strong>
@@ -56,9 +56,9 @@ Hidden Operating System</a>). If there is a hidden volume within this volume (or
 <a href="Header%20Key%20Derivation.html">
 <em>Header Key Derivation, Salt, and Iteration Count</em></a>), which can be one of the following:
 HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool, HMAC-Streebog.</li>
-<li><strong>Argon2id:</strong> Memory-hard key derivation function with internal BLAKE2b hash function.</li>
+<li><strong>Argon2id:</strong> Memory-hard key derivation function for non-system volumes, with internal <a href="BLAKE2b-512.html">BLAKE2b-512</a> hash function.</li>
 </ul>
-<p>If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
+<p>If a header key derivation algorithm (or, for PBKDF2-HMAC, a PRF hash) is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
 <p>A password entered by the user (to which one or more keyfiles may have been applied &ndash; see the section
 <a href="Keyfiles%20in%20VeraCrypt.html">
 <em>Keyfiles</em></a>), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section
@@ -34,13 +34,14 @@
 <div class="wikidoc">
 <h1>Hash Algorithms</h1>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-In the Volume Creation Wizard, in the password change dialog window, and in the Keyfile Generator dialog window, you can select a hash algorithm when using PBKDF2-HMAC as the key derivation function. When Argon2id is selected as the key derivation function, no hash algorithm selection is available as Argon2id uses its own internal BLAKE2b hash function.
+In the Volume Creation Wizard and in the password change dialog window, you can select a hash algorithm when using PBKDF2-HMAC as the key derivation function. In the Keyfile Generator dialog window, the selected hash algorithm is used by the VeraCrypt Random Number Generator as its pool mixing function. When Argon2id is selected as the key derivation function, no separate hash algorithm selection is available for header key derivation because Argon2id uses its own internal BLAKE2b-512 hash function.
 </div>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
 For PBKDF2-HMAC, the user-selected hash algorithm is used by the VeraCrypt Random Number Generator as a pseudorandom &quot;mixing&quot; function, and by the header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0) as a pseudorandom function. When creating a new volume, the Random Number Generator generates the master key, secondary key (XTS mode), and salt. For more
 information, please see the section <a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none">
 Random Number Generator</a> and section <a href="Header%20Key%20Derivation.html" style="text-align:left; color:#0080c0; text-decoration:none">
 Header Key Derivation, Salt, and Iteration Count</a>.</div>
+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
 VeraCrypt currently supports the following hash algorithms for PBKDF2-HMAC:</div>
 <ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
 <li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
@@ -54,5 +55,11 @@ VeraCrypt currently supports the following hash algorithms for PBKDF2-HMAC:</div
 </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
 <strong style="text-align:left"><a href="Streebog.html">Streebog</a></strong>
 </li></ul>
+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
+VeraCrypt also associates the following hash with Argon2id:</div>
+<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
+<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
+<a href="BLAKE2b-512.html"><strong style="text-align:left">BLAKE2b-512</strong></a> (associated with Argon2id; not selectable for PBKDF2-HMAC)
+</li></ul>
 <p><a href="BLAKE2s-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold">Next Section &gt;&gt;</a></p>
 </div><div class="ClearBoth"></div></body></html>
@@ -44,7 +44,7 @@ Encryption Scheme</a> and <a href="VeraCrypt%20Volume%20Format%20Specification.h
 VeraCrypt Volume Format Specification</a>). In volumes created by VeraCrypt (and for
 <a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none">
 system encryption</a>), the area is encrypted in XTS mode (see the section <a href="Modes%20of%20Operation.html" style="text-align:left; color:#0080c0; text-decoration:none">
-Modes of Operation</a>). VeraCrypt supports two key derivation functions for generating header keys: PBKDF2 (specified in PKCS #5 v2.0) and Argon2id.</div>
+Modes of Operation</a>). For system encryption, VeraCrypt uses PBKDF2-HMAC. For non-system volumes and file containers, VeraCrypt supports two key derivation functions for generating header keys: PBKDF2 (specified in PKCS #5 v2.0) and Argon2id.</div>

 <h3>PBKDF2-HMAC Key Derivation</h3>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
@@ -55,7 +55,7 @@ The PBKDF2 method uses HMAC-based pseudorandom functions with the following hash

 <h3>Argon2id Key Derivation</h3>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-Argon2id is a memory-hard key derivation function that provides resistance against both time-memory trade-off attacks and side-channel attacks. Unlike PBKDF2-HMAC, Argon2id does not use a separate hash algorithm selection – it uses its own internal hash function (BLAKE2b). Argon2id requires three parameters: memory cost (amount of memory used), time cost (number of iterations), and parallelism (number of threads). VeraCrypt sets the parallelism parameter to 1 for all cases.</div>
+Argon2id is a memory-hard key derivation function that provides resistance against both time-memory trade-off attacks and side-channel attacks. Unlike PBKDF2-HMAC, Argon2id does not use a separate hash algorithm selection – it uses its own internal hash function (<a href="BLAKE2b-512.html" style="text-align:left; color:#0080c0; text-decoration:none">BLAKE2b-512</a>). Argon2id requires three parameters: memory cost (amount of memory used), time cost (number of iterations), and parallelism (number of threads). VeraCrypt sets the parallelism parameter to 1 for all cases.</div>

 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
 512-bit salt is used for both key derivation functions, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
@@ -74,7 +74,7 @@ PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the def
 <ul>
 <li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used.</li>
 <li>For system encryption that uses SHA-512 or Whirlpool, <strong>500000</strong> iterations are used.</li>
-<li>For non-system encryption and file containers, all derivation algorithms will use <strong>500000</strong> iterations.
+<li>For non-system encryption and file containers, all PBKDF2-HMAC variants will use <strong>500000</strong> iterations.
 </li></ul>
 </p>
 <p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
@@ -38,7 +38,7 @@ A key derivation function (KDF) transforms your password (and optional keyfiles)
 <h3>Available Algorithms in VeraCrypt</h3>
 <ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
 <li style="text-align:left; margin-top:0px; margin-bottom:8px; padding:0px">
-<strong><a href="Argon2id.html" style="color:#0080c0; text-decoration:none">Argon2id</a>:</strong> A modern, memory-hard KDF (based on BLAKE2b internally). Recommended for new volumes. No separate hash selection is required.
+<strong><a href="Argon2id.html" style="color:#0080c0; text-decoration:none">Argon2id</a>:</strong> A modern, memory-hard KDF (based on <a href="BLAKE2b-512.html" style="color:#0080c0; text-decoration:none">BLAKE2b-512</a> internally). Recommended for new non-system volumes. No separate hash selection is required.
 </li>
 <li style="text-align:left; margin-top:0px; margin-bottom:0px; padding:0px">
 <strong><a href="pbkdf2.html" style="color:#0080c0; text-decoration:none">PBKDF2-HMAC</a>:</strong> A widely deployed KDF that uses HMAC with a selectable hash function. Supported HMAC hashes in VeraCrypt:
@@ -93,7 +93,7 @@ When creating a volume or when changing the password, the user has the possibili
 <div>&nbsp;</div>
 <div>The PIM is treated like a secret value that must be entered by the user each time alongside the password. If the incorrect PIM value is specified, the mount/boot operation will fail.</div>
 <div>&nbsp;</div>
-<div>Using high PIM values leads to better security thanks to the increased number of iterations but it comes with slower mounting/booting times.</div>
+<div>Using high PIM values leads to better security thanks to increased KDF cost parameters but it comes with slower mounting/booting times.</div>
 <div>With small PIM values, mounting/booting is quicker but this could decrease security if a weak password is used.</div>
 <div>&nbsp;</div>
 <div>During the creation of a volume or the encryption of the system, VeraCrypt forces the PIM value to be greater than or equal to a certain minimal value when the password is less than 20 characters. This check is done in order to ensure that, for short passwords,
@@ -50,11 +50,11 @@
 written to the pool, this function is applied to the entire pool.</p>
 <p>Description of the pool mixing function:</p>
 <ol>
-<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, BLAKE2S-256, or Whirlpool).
+<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the current RNG pool-mixing hash function. In standalone random-pool and keyfile-generation contexts, this is the hash selected by the user. During volume operations, VeraCrypt derives it from the selected header key derivation algorithm: for PBKDF2-HMAC, it is the selected hash (SHA-512, SHA-256, BLAKE2s-256, Whirlpool, or Streebog); for Argon2id, it is <a href="BLAKE2b-512.html">BLAKE2b-512</a>.
 </li><li><em>l</em> = byte size of the output of the hash function <em>H</em> (i.e., if
-<em>H</em> is BLAKE2S-256, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)
+<em>H</em> is BLAKE2s-256 or SHA-256, then <em>l</em> = 32; if <em>H</em> is SHA-512, Whirlpool, Streebog, or BLAKE2b-512, <em>l</em> = 64)
 </li><li><em>z</em> = byte size of the randomness pool <em>R </em>(320 bytes) </li><li><em>q</em> = <em>z</em> / <em>l</em> &ndash; 1 (e.g., if <em>H</em> is Whirlpool, then
-<em>q</em> = 4) </li><li>Ris divided intol-byte blocksB0...Bq.
+<em>q</em> = 4) </li><li><em>R</em> is divided into <em>l</em>-byte blocks <em>B</em>0...<em>B</em>q.
 <p>For 0 &le; i &le; q (i.e., for each block B) the following steps are performed:</p>
 <ol type="a">
 <li><em>M = H</em> (<em>B</em>0 || <em>B</em>1 || ... || <em>B</em>q) [i.e., the randomness pool is hashed using the hash function H, which produces a hash M]
@@ -73,7 +73,7 @@
 is greater than the size of the pool, no value is generated and an error is returned).
 </li><li>The state of each bit in the pool is inverted (i.e., 0 is changed to 1, and 1 is changed to 0).
 </li><li>Data obtained from some of the sources listed above is added to the pool as described above.
-</li><li>The content of the pool is transformed using the pool mixing function. Note: The function uses a cryptographically secure one-way hash function selected by the user (for more information, see the section
+</li><li>The content of the pool is transformed using the pool mixing function. Note: The function uses the cryptographically secure one-way hash function associated with the selected KDF/hash option (for more information, see the section
 <em>Pool Mixing Function</em> above). </li><li>The transformed content of the pool is XORed into the output buffer as follows:
 <ol type="a">
 <li>The output buffer write cursor is set to 0 (the first byte of the buffer). </li><li>The byte at the position of the pool cursor is read from the pool and XORed into the byte in the output buffer at the position of the output buffer write cursor.
@@ -60,7 +60,7 @@ The number of PBKDF2 iterations depends on the selected HMAC hash, the context (

 <h4>Output Length</h4>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding:0px">
-The derived key length depends on the selected encryption algorithm(s) (e.g., 256 bits for AES-256, 768 bits for AES-Twofish-Serpent cascades).
+The amount of derived header key material consumed depends on the selected encryption algorithm(s). For current XTS volumes, VeraCrypt uses both primary and secondary header keys; for example, AES-256-XTS uses 512 bits in total (two 256-bit keys), and an AES-Twofish-Serpent-XTS cascade uses 1536 bits in total (six 256-bit keys).
 </div>

 <h3>Advantages and Considerations</h3>