public static function deriveAuthenticationKey(HiddenString $password, string $salt, string $level = self::INTERACTIVE) : AuthenticationKey
{
$kdfLimits = self::getSecurityLevels($level);
// VERSION 2+ (argon2)
if (Util::safeStrlen($salt) !== \Sodium\CRYPTO_PWHASH_SALTBYTES) {
throw new CryptoException\InvalidSalt('Expected ' . \Sodium\CRYPTO_PWHASH_SALTBYTES . ' bytes, got ' . Util::safeStrlen($salt));
}
$secretKey = \Sodium\crypto_pwhash(\Sodium\CRYPTO_AUTH_KEYBYTES, $password->getString(), $salt, $kdfLimits[0], $kdfLimits[1]);
return new AuthenticationKey(new HiddenString($secretKey));
}