[CFRG] Re: BLAKE3 I-D

Christopher Patton <cpatton@cloudflare.com> Wed, 14 August 2024 20:35 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C594EC151531 for <cfrg@ietfa.amsl.com>; Wed, 14 Aug 2024 13:35:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNI9hJi8TYHn for <cfrg@ietfa.amsl.com>; Wed, 14 Aug 2024 13:35:38 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B655C15152C for <cfrg@ietf.org>; Wed, 14 Aug 2024 13:35:38 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-44fe58fcf29so1548801cf.2 for <cfrg@ietf.org>; Wed, 14 Aug 2024 13:35:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1723667737; x=1724272537; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=iUMedBxl/CjXBn2V+EbVYEOLxhE2KbtvKXReZOqzRQE=; b=Rgo+2F4+R3EG1nNR5Q101wQ66w/dBg3k/WzreM9SSxJIL61I5M99NYDOQ3yV8mvA5q O+aa+tiBjXduFzQr8+xDVCaw3o86oCicqNlbgYpwaw5YV3fzUIX4WW4VwAl8Y063LCYY 5qN/UAhU5bF2lOzG66prUxZkvy/KqOPd9D4HNXX5MDP6Y0lxyZmBrPOPeS+tOViJbwtK ZkKgFy2BB266VSCBi71rN+nfbcz6P1du4IdvbUXkN0RAhFK/QXBfbmVAwktJ+tVH4sVh Ai4NhzM3fDytVSXAwlHqFHFQZnIAXlGRy2MeLe6W44DEynyQ6YWqNCjVYoju9SkswP5+ GvDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723667737; x=1724272537; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iUMedBxl/CjXBn2V+EbVYEOLxhE2KbtvKXReZOqzRQE=; b=q/ek+Kop+4pZCXDSP4VqOq7siUPSJSQ/eeEc58Em3qBen5GpiPHAr7wManNs3XAQ+t tGKnlJ9upK+pbZFE/3qWPalHO1/ore3wTPyrZdjiUGWvyZ5ilAjbd9Ju10w7BppSiFHn Qr1ZbM3RvJcI6XbZwYYH3IqpWYskxlAvjigM0F8IzrPfLpdNebYhRz12PTz8QtleipS0 ZJXFKtPpCH5dtm0+xtL8wv09khwMU6TmNSSWrMipj46B5kqUZEhYnFrufU9aVdQ7tEvc 7yUUrcXQ1Zd3OxUVJ/Tybb7VkdFuXh8ldZ2jQMAkbupP7RU1zM2sRV4pOPETHh3c+pkv q3AQ==
X-Forwarded-Encrypted: i=1; AJvYcCV89xBtDBPPPH8XNhfd5Vm0aL9OkqKu8YhD5XRU9aSqkUtpNl9n6uyaPlAR0NaLT8K13W4GnJZYC25LhFqu
X-Gm-Message-State: AOJu0YyU0BtTfZRBB/18swlf9bp4Ix8VcwzACn1Sp6Sf6R5CXZsErIlS kw6m/CsdpEt21dh8boJarQ6WIs/q6BAiKy01TwdScuw3wpl2qlfLDWUrjkBbsVHtAtFWFt2mLwV Ldcel/vtYnSjdH4wJ19bJx6R6HnSC/RH+834+AQ==
X-Google-Smtp-Source: AGHT+IFGN7hIA7sJPxVuK7q+xLSik0Z/0BzB4K0CdllRL6xVOJWf4fv/Lkdh1dQSq9L55lfrT1ZaIZJYbXvqKg63wvg=
X-Received: by 2002:a05:622a:114b:b0:44f:5e2c:1631 with SMTP id d75a77b69052e-4535ba8ebaamr51232581cf.17.1723667737416; Wed, 14 Aug 2024 13:35:37 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com>
In-Reply-To: <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Wed, 14 Aug 2024 13:35:26 -0700
Message-ID: <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com>
To: Jack O'Connor <oconnor663@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000335184061faaabb5"
Message-ID-Hash: D4Y57U5UQDX5CEQLUSWD4R4C3AV7MURE
X-Message-ID-Hash: D4Y57U5UQDX5CEQLUSWD4R4C3AV7MURE
X-MailFrom: cpatton@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@ietf.org, cfrg-chairs@ietf.org, Zooko O'Whielacronx <zookog@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EqNloZcG-rjd--L-H8QGlcYXkfw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

> The main difference between B3 and K12 in this case is that, while both
> make extensive use of SIMD parallelism, only b3sum is multithreaded.
> k12sum could use multithreading in theory, but in practice I'm not aware
> of any multithreaded implementations of K12. The difference in tree
> structures is important: B3 is a binary tree with the usual recursive
> structure, which lets us use "divide-and-conquer" / "fork-join" parallelism
> of the sort provided by OpenMP in C/C++ or Rayon in Rust. K12 has a
> shallow/one-parent structure, which would need some sort of job queue with
> more synchronization and tuning, and the root note itself can be a
> bottleneck. (TurboSHAKE has a serial structure and can't take much
> advantage of SIMD or threads, which is a major performance disadvantage on
> modern machines.)
>

For my own edification, what applications benefit from the tree structure?
Does this create overhead if you are only hashing with a single thread?


> The B3 XOF is counter-based, similar to ChaCha or AES-CTR, which makes it
> parallelizable and suitable as a stream cipher or a high-performance
> CSPRNG. K12 and TurboSHAKE use a sponge-style XOF that isn't parallelizable.
>

This seems valuable, but I wonder if it limits how one might use BLAKE3.
Would you recommend BLAKE3 for instantiating random oracles?

Chris P.