Re: [babel] Babel-MAC: Blake2s is 128-bits by default

Donald Eastlake <> Mon, 16 November 2020 04:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6EEBF3A1060 for <>; Sun, 15 Nov 2020 20:28:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RDN82J5gaVch for <>; Sun, 15 Nov 2020 20:28:38 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D84493A129D for <>; Sun, 15 Nov 2020 20:28:37 -0800 (PST)
Received: by with SMTP id k1so13882318ilc.10 for <>; Sun, 15 Nov 2020 20:28:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=05HQfDCdw1U2kM3A4Vf1EDSl+eqdGQrOvGgmeHJIUD8=; b=SfVj+628vzNEMtuF8KzvBJ8rveHVSJjlRt6bzIHTAX6Jr5xDem/BY77dtzQH8fSHLK Ocka/xwLu32jij43nb4Jgqkp0Pv6r2MYW2HsKzfrfr8COFvSxWcIAu5E62t5uWgHPbGo wbnhe4/GI4JOStGsR3bOdITx7q6g9USXDpQiFmV+MQ1qIEZMRw7YAbCGlGHYcXnJFhZq gsSsE3EGoPAGDCEozTpQ5iMx10xX2iYjQdORYvj1bWcL2E6oaYOH6JE+oEzb/QA9OYP4 aMlQCi0xKVf6N6GueuI2kMTYlDkjdTRKPaH/2uynzy9/Q8DEEduWRQKu0mso3HyXQRaI OE2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=05HQfDCdw1U2kM3A4Vf1EDSl+eqdGQrOvGgmeHJIUD8=; b=p0eVGPwgMxsNHW98WrV2Q2jNvDBj4Tom4w2z762e7UorHJZGJidTcvWR1kQj+G+8iT FfA367PqwRQ10dFKf6+ou56+n6DL/ajBMAvvcQpo4PfycZAGvsKWm1vvCqqbT2QqvXbx CPkULeB+K3BP/dm7LMcOWr2cg/muQ5RnzUIetMyyc5WfTjndL4/MGoB1IJCyxjQOi/q7 lWmSpPb9hDgm6HrcEccL2wCFwFV+iEkJj5slH1wFodx5doIsHrZKkrmkiW8CKP3wOPc3 HWvVkGlJiWMAD/6p6Cxopix4K0E7aAJQEapTtmGONo2ZWtBK/qiV3BLGp0fsDgqKpjLK RGow==
X-Gm-Message-State: AOAM5338blsZ6aFF5cKfz8zlgHO5G1/bwxdTHfrXvyhuMBIRhZ4da+GG vYZ5SG+GF4bBNmeOG6sxjwDm10dtOwYM6ry1P+eA6+OhlNo=
X-Google-Smtp-Source: ABdhPJzADC6Pgoj0d4Ep0t1N6Pi/Dl7dyqmFZ942ospyOlxhC+Ign8WZRHwSPt/Yana0pm/dIFFecBFA3Hl77Bveec0=
X-Received: by 2002:a92:d78b:: with SMTP id d11mr4868107iln.40.1605500917061; Sun, 15 Nov 2020 20:28:37 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Donald Eastlake <>
Date: Sun, 15 Nov 2020 23:28:25 -0500
Message-ID: <>
To: Juliusz Chroboczek <>
Cc: Babel at IETF <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [babel] Babel-MAC: Blake2s is 128-bits by default
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Nov 2020 04:28:40 -0000

H Juliusz,

Speaking as a WG participant, I think your argument make sense and I
would supporting going in the direction you suggest.

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA

On Sun, Nov 15, 2020 at 12:55 PM Juliusz Chroboczek <> wrote:
> After reading your replies, and thinking it over carefully, I disagree
> with the apparent consensus.  I think Blake2s in Babel-MAC should use
> 128-bit keys, as in the initial implementation.  Please hear me out.
> Toke and Dave originally suggested adding Blake2s to Babel-HMAC for two
> reasons:
>   - it is more computationally lightweight on platforms that don't
>     implement SHA-256 in hardware;
>   - it may serve as a fallback if SHA2 is ever broken.
> While I am still not quite convinced by these arguments, I've agreed to
> add the SHOULD Blake2s and to implement Blake2s for the following reasons:
>   - it serves as a good example of adding a new algorithm to Babel-MAC;
>   - with 128-bit signatures, it is useful on low-rate networks, which
>     Babel is commonly used with.
> For these reasons, we implemented Blake2s with 128-bit signatures.
> Unfortunately, some confusion ensued, Toke implemented Blake2s with
> 256-bit signatures, Antonin changed our implementation to interoperate
> with Toke's (without discussing the issue with me beforehand), hence the
> current situation.
> If Blake2s uses 256-bit signatures, then I see little convincing reason to
> keep it around in addition to SHA-256.  For this reason, I recommend the
> following course of action:
>   1. Toke agrees to switch to 128-bit Blake2s signatures;
>   2. we discard Antonin's branch (which is just a private branch), and do
>      128-bit Blake2s signatures instead;
>   3. during AUTH48, I make the clarification that the SHOULD implement
>      applies to 128-bit signatures.
> Two more points.  First, under no circumstances will I go against WG
> consensus on this point -- if the WG strongly believes that the SHOULD
> applies to 256-bit signatures, I will naturally follow the consensus.
> Second, Babel-HMAC is an extensible protocol, so even if the RFC ends up
> recommending n-bit signatures, nothing prevents a given implementation
> from implementing m-bit signatures in addition to the RFC-recommended
> n-bit signatures.
> Sorry again for the confusion.
> -- Juliusz
> _______________________________________________
> babel mailing list