[CFRG] Re: BLAKE3 I-D

Benson Muite <benson_muite@emailplus.org> Thu, 29 August 2024 06:32 UTC

Return-Path: <benson_muite@emailplus.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51D6C180B62 for <cfrg@ietfa.amsl.com>; Wed, 28 Aug 2024 23:32:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.459
X-Spam-Level:
X-Spam-Status: No, score=-7.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.355, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emailplus.org header.b="FWAFMH3Z"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Rq18Nts5"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9x5y1vOyp88 for <cfrg@ietfa.amsl.com>; Wed, 28 Aug 2024 23:31:57 -0700 (PDT)
Received: from fout7-smtp.messagingengine.com (fout7-smtp.messagingengine.com [103.168.172.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7A8DC151520 for <cfrg@irtf.org>; Wed, 28 Aug 2024 23:31:57 -0700 (PDT)
Received: from phl-compute-03.internal (phl-compute-03.nyi.internal [10.202.2.43]) by mailfout.nyi.internal (Postfix) with ESMTP id D2C6213901ED; Thu, 29 Aug 2024 00:15:44 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Thu, 29 Aug 2024 00:15:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emailplus.org; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm1; t=1724904944; x=1724991344; bh=Iltav9fpKPp+3u8SHOPU73GgrhMeAUe6 IDaiHuZZtGs=; b=FWAFMH3ZB6LC2IhPFiBlqbhktW1mX20JT4a+MiYTFIJZUZIX Jvo00KbLtISU4ozI8yYCLR7REH5f1HWOKiN6SwGfy0cwDi8FngxsfYp/6nOEunGF Gjwoflwgx05tO6STvzHTAHbJfBktAbviE75WTGUACQd6aGcuBpPkWRxjW9nCXEDM caS2zIZLTbutfqLveEKTxsq2Emm68VbihBJDBDiF6AtBeauXRyRvSdFlD9o+Dz0U bz0v+Lrqmj+O4k6IKHYAy+YlgQ4D+BCDFvajLfdkakY24Brx6h0P5ZO14X9wwbxI QiuJsVDvxu5Q2ghvNpSwHvbojJKyl2cflL0o9w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1724904944; x= 1724991344; bh=Iltav9fpKPp+3u8SHOPU73GgrhMeAUe6IDaiHuZZtGs=; b=R q18Nts5Z9JSWCCWV4Nuz4Ycclu+p87YrCHKemk9/b2fDELB6zkjA+t4RNawF1Aw9 PNYxeNT4MewCHr1V0Tx8XHlGuGtGqVdqxy69tm+37JlLvaYrMEP6h607dpEAV9JU Ov6DO5JV5xD48x85YCieUwUK25ke8fFz5hJ9NL3X4PGvNkypy2yuMP+lX6d9MHmb 3ElHyp4FrawUQdpZIXUbL1grBothhLaMpvIMI+NDTA0kGVpc7yVH2QpfFeMICkT3 h6XAcZU13JWjIyZFZuXxqlQXRZSgBj+axXMQTmIwkbytosW8BxMFzjTxHFNBP+cv odXgz1EXkZkNjlaKSHX9A==
X-ME-Sender: <xms:7_XPZn-MQABbZnhwM7_jtWEHeBOCPZqNttHxcRNqvsEcX9HehVmJSw> <xme:7_XPZjsIwAgnwSTPqKDsUrpelRiPjlUL6uz0PzyQ-QiHcAes184-hHHKnFVKDPFun a-Vj0TVWLZe9MLR>
X-ME-Received: <xmr:7_XPZlDb7PielUN3YVcqgU5i80TTUS8TfvZ4CThs3DpRibSRh-4Jt8xw3DeJtlc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudeffedgieegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepkfffgggfvfevfhfhufgjtgfgsehtkeertddtfeej necuhfhrohhmpeeuvghnshhonhcuofhuihhtvgcuoegsvghnshhonhgpmhhuihhtvgesvg hmrghilhhplhhushdrohhrgheqnecuggftrfgrthhtvghrnhepheevfeevheffveffuefh hffgfedvledvkeegffdttdehuddtkeegudejueeigeeunecuffhomhgrihhnpehivghtfh drohhrghdprhhftgdqvgguihhtohhrrdhorhhgpdhgihhthhhusgdrtghomhenucevlhhu shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegsvghnshhonhgpmh huihhtvgesvghmrghilhhplhhushdrohhrghdpnhgspghrtghpthhtohepfedpmhhouggv pehsmhhtphhouhhtpdhrtghpthhtohepjhgvrghnphhhihhlihhpphgvrdgruhhmrghssh honhesghhmrghilhdrtghomhdprhgtphhtthhopehphhhilhhlsehhrghllhgrmhgsrghk vghrrdgtohhmpdhrtghpthhtoheptghfrhhgsehirhhtfhdrohhrgh
X-ME-Proxy: <xmx:7_XPZjethpy9RN6vC25HaHvk1zb6P1XVZ-DVcz0kBGiGxNV52Fslog> <xmx:7_XPZsPu7kGgFtFODdK9-nwR3Pt2oayJxlcTRNfqR1FQfl0HojaGHw> <xmx:7_XPZll36XPCVwI3eeJ5Gr3XhbT1jhRjoZqlGCBd7t1pGAQ1SHuGrQ> <xmx:7_XPZmtYS8JZWNCAFZ94koDaBISgg7noP8fBttenXY7DM5qMHnBqEg> <xmx:8PXPZlbxEUIMQM1i8ZvTC5na-UlS_nK_RceXKcOUC7liCH8o0zluAy3C>
Feedback-ID: ic1e8415a:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 29 Aug 2024 00:15:41 -0400 (EDT)
Message-ID: <c25a47e7-f239-099e-df90-c02855e8dd1a@emailplus.org>
Date: Thu, 29 Aug 2024 07:15:38 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-US
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>, Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com> <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com> <CABcZeBN4jxHB6YOUc5ANTZjc0jxd5aSZ-G_A+qe9-ze0YT3+UA@mail.gmail.com> <ec9e57f6-9daa-2edf-71bd-0b548c403182@emailplus.org> <CABcZeBPKWu35akwrBpK2XBTmjxZ7x8O12zDt4LmgV3wrYgCpyA@mail.gmail.com> <CAMm+Lwj6jFaZ6sYVmC4eW_m7Ttw_jAZ5td6beWFVburzY_2_2g@mail.gmail.com> <CAGiyFdeyDYPT52V12=h2JaCsAMiPTo_bkXir-Ac9u7aT7GFsbQ@mail.gmail.com>
From: Benson Muite <benson_muite@emailplus.org>
In-Reply-To: <CAGiyFdeyDYPT52V12=h2JaCsAMiPTo_bkXir-Ac9u7aT7GFsbQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 3ZGM5VXEU5EKHUH3XSEXRWZHTOEYYOY3
X-Message-ID-Hash: 3ZGM5VXEU5EKHUH3XSEXRWZHTOEYYOY3
X-MailFrom: benson_muite@emailplus.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@irtf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-w3JbfilyzhBNK40dXSWIDhJd4s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On 28/08/2024 19.21, Jean-Philippe Aumasson wrote:
> Thank you guys for your input, we appreciate your taking the time to
> clarify IETF/CFRG's mission and how B3 would fit (or not). We'll think
> about it and further evaluate the relevance of B3 to IETF.
>  
> I would just like to respond to 2 statements: 
> 
> Benson wrote  "Nevertheless, neither BLAKE2 nor BLAKE3 are designed as
> cryptographically secure hash functions, so it might not be a good fit
> for CFRG."
> 
> and Phillip wrote "I don't see a need for a Blake 3. Applications using
> Blake 2 can simply transition to SHA-2 + SHA-3."
> 
> I don't know if Benson's statement is exactly what they intended to
> convey, but it's obviously not correct: both B2 and B3 are, obviously,
> designed to be cryptographically secure hash functions. B3 is also a
> PRF, MAC, KDF, and XOF. Regarding the need for B3: the SHA-2 family does
> not offer those extra functionalities. The SHA-3 family does but at much
> slower speed. K12/TurboSHAKE are faster than 24-round SHA-3s but are
> significantly less used than B3, be it in open-source and proprietary
> projects.

Ok. Thanks for the clarification.

> 
> 
> 
> On Mon, Aug 26, 2024 at 6:19 PM Phillip Hallam-Baker
> <phill@hallambaker.com <mailto:phill@hallambaker.com>> wrote:
> 
>     +1 EKR
> 
>     Sort of. I think he understates the case.
> 
>     IETF doesn't select algorithms on its own, it is a part of the wider
>     industry and the primary means by which IETF chooses algorithms is
>     by public competition sponsored by a major stakeholder. To date,
>     that stakeholder has been NIST for historical reasons, UK doesn't
>     put its country on its stamps because Rowland Hill and NIST holds
>     cryptographic algorithm competitions. But if NIST stopped doing
>     that, we would find or build an alternative.

NIST has done well, but some algorithms are not submitted to it.  For
example many algorithms used in the Commonwealth of Independent States
are submitted as IETF informational RFCs after going through a different
review process.

> 
>     We had a public competition for digest algorithms not so long ago.
>     The Blake proposals were not selected. The outcome of the
>     competition was that we came to the conclusion SHA-2 is actually fit
>     for purpose but came up with SHA-3 as an alternative. We thus have
>     two digest algorithms that we have a high degree of confidence in. I
>     don't see a need for a Blake 3. Applications using Blake 2 can
>     simply transition to SHA-2 + SHA-3.

One of the motivations for an IETF document is for inclusion of Blake3
in OpenSSL.

> 
>     CFRG is chartered for "discussing and reviewing uses of
>     cryptographic mechanisms, both for network security in general and
>     for the IETF in particular." I don't see adding a third digest as
>     helping either cause.
> 
>     The security of any application is determined by the weakest
>     algorithm it accepts. There is a good argument for having a backup
>     algorithm but having more than one backup seems more likely to hurt
>     than help. At the very least it means having to spend time and
>     effort tracking an additional random variable.

Concerns about tracking an additional algorithm are reasonable.

> 
>     Even if people are nervous about SHA-2, we can always use SHA-2-512.
>     In a world where we are having to implement PQC algorithms, I can't
>     really see an argument for using SHA-2-256 any more. Just use 512
>     bits and be done, the chance of 512 bits being broken at the same
>     time as 256 is not zero but it means all bets are off. That is not
>     an eventuality it makes sense to plan for because if that falls,
>     nothing we know today can be relied on.
> 
>     CFRG is chartered for "discussing and reviewing uses of
>     cryptographic mechanisms, both for network security in general and
>     for the IETF in particular." 

If CFRG is not appropriate, independent stream could still be useful to
document BLAKE3 as my understanding is that there are situations where
it is more appropriate, but maybe am also incorrect on this.

> 
> 
> 
> 
> 
>     On Sat, Aug 24, 2024 at 1:30 PM Eric Rescorla <ekr@rtfm.com
>     <mailto:ekr@rtfm.com>> wrote:
> 
> 
> 
>         On Fri, Aug 23, 2024 at 11:56 PM Benson Muite
>         <benson_muite@emailplus.org <mailto:benson_muite@emailplus.org>>
>         wrote:
> 
>             On 22/08/2024 05.20, Eric Rescorla wrote:
>             > I don't actually think the question of how much an
>             algorithm is used in
>             > the wild is that relevant to the question of adoption. The
>             more relevant
>             > question is whether there are IETF groups who want to use
>             a given
>             > algorithm, because that is where CFRG should focus its
>             limited resources.
>             >
> 
>             RFC 7693 [1] documents Blake 2.  Blake 3 is an improved
>             version of this,
>             so is worth reviewing. Blake 2 was done through the independent
>             submission stream [2], rather than through a research or
>             working group.
> 
>             1) https://datatracker.ietf.org/doc/html/rfc7693
>             <https://datatracker.ietf.org/doc/html/rfc7693>
>             2) https://www.rfc-editor.org/about/independent/
>             <https://www.rfc-editor.org/about/independent/>
> 
> 
>         I don't think this follows at all. There are lots of things in
>         the Independent Stream
>         I wouldn't want to see CFRG spend effort on, for instance the
>         GOST algorithms.
> 
>         -Ekr
> 
> 
> 
>             > -Ekr
>             >
>             >
>             > On Wed, Aug 21, 2024 at 9:51 AM Chris Barber
>             <cbarbernash@gmail.com <mailto:cbarbernash@gmail.com>
>             > <mailto:cbarbernash@gmail.com
>             <mailto:cbarbernash@gmail.com>>> wrote:
>             >
>             >     Dear Chris,
>             >
>             >     You are comparing specific implementations on a
>             particular CPU, not
>             >     the algorithms themselves. The "sha3" library you are
>             using is not
>             >     optimized and may not accurately reflect the
>             performance of
>             >     TurboSHAKE compared to, for example, XKCP. In
>             software, the
>             >     performance of BLAKE3 and TurboSHAKE/KT12 is
>             theoretically very
>             >     close but highly dependent on the implementation in
>             practice.
>             >
>             >     Since this discussion is about adoption, I believe it
>             would be more
>             >     relevant to compare the algorithms themselves. What
>             properties does
>             >     BLAKE3 have that TurboSHAKE doesn't? "it's already
>             used a lot in the
>             >     wild" can be sufficient to justify a specification.
>             >
>             >
>             >     On Thu, Aug 15, 2024 at 11:07 PM Christopher Patton
>             >     <cpatton=40cloudflare.com@dmarc.ietf.org
>             <mailto:40cloudflare.com@dmarc.ietf.org>
>             >     <mailto:40cloudflare.com@dmarc.ietf.org
>             <mailto:40cloudflare.com@dmarc.ietf.org>>> wrote:
>             >
>             >         Hi all,
>             >
>             >         Before adopting BLAKE3, I think it would be useful
>             to see how
>             >         much of a difference it would make in our
>             applications. I would
>             >         suggest looking through RFCs published by CFRG and
>             assess how
>             >         performance would change if they could have used
>             BLAKE3. Off the
>             >         top of my head:
>             >         - RFC 9180 - HPKE (replace HKDF?)
>             >         - draft-irtf-cfrg-opaque - OPAQUE
>             >         - RFC 9380 - hashing to elliptic curves
>             >
>             >         I'll add my own data point: draft-irtf-cfrg-vdaf.
>             This draft
>             >         specifies an incremental distributed point
>             function (IDPF), a
>             >         type of function secret sharing used in some MPC
>             protocols. Most
>             >         of the computation is spent on XOF evaluation. For
>             performance
>             >         reasons, we try to use AES wherever we can in
>             order to get
>             >         hardware support. We end up with a mix of
>             TurboSHAKE128 and AES,
>             >         which is not ideal. It would be much nicer if we
>             could afford to
>             >         use a dedicated XOF, but TurboSHAKE128 is not fast
>             enough in
>             >         software. I threw together some benchmarks for B3:
>             >       
>              https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 <https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1> <https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 <https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1>>
>             >
>             >         The results were interesting. Compared to Turbo,
>             B3 is 30%
>             >         faster, as expected. Compared to the baseline (mix
>             of Turbo and
>             >         AES), B3 is 2-3x slower for the client operation,
>             as expected;
>             >         but the server was slightly faster, which frankly
>             is a bit of a
>             >         mystery. We'll need to dig into the code more to
>             be certain, as
>             >         there may be some obvious inefficiencies on the
>             client side. But
>             >         preliminarily, I would say B3 is probably too slow
>             in software
>             >         for this application.
>             >
>             >         Chris P.
>             >
>             >
>             >
>             >
>             >         _______________________________________________
>             >         CFRG mailing list -- cfrg@irtf.org
>             <mailto:cfrg@irtf.org> <mailto:cfrg@irtf.org
>             <mailto:cfrg@irtf.org>>
>             >         To unsubscribe send an email to
>             cfrg-leave@irtf.org <mailto:cfrg-leave@irtf.org>
>             >         <mailto:cfrg-leave@irtf.org
>             <mailto:cfrg-leave@irtf.org>>
>             >
>             >     _______________________________________________
>             >     CFRG mailing list -- cfrg@irtf.org
>             <mailto:cfrg@irtf.org> <mailto:cfrg@irtf.org
>             <mailto:cfrg@irtf.org>>
>             >     To unsubscribe send an email to cfrg-leave@irtf.org
>             <mailto:cfrg-leave@irtf.org>
>             >     <mailto:cfrg-leave@irtf.org <mailto:cfrg-leave@irtf.org>>
>             >
>             >
>             > _______________________________________________
>             > CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>             > To unsubscribe send an email to cfrg-leave@irtf.org
>             <mailto:cfrg-leave@irtf.org>
> 
>             _______________________________________________
>             CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>             To unsubscribe send an email to cfrg-leave@irtf.org
>             <mailto:cfrg-leave@irtf.org>
> 
>         _______________________________________________
>         CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>         To unsubscribe send an email to cfrg-leave@irtf.org
>         <mailto:cfrg-leave@irtf.org>
> 
>     _______________________________________________
>     CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>     To unsubscribe send an email to cfrg-leave@irtf.org
>     <mailto:cfrg-leave@irtf.org>
> 
> 
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org