[CFRG] Re: BLAKE3 I-D

Benson Muite <benson_muite@emailplus.org> Mon, 26 August 2024 04:21 UTC

Return-Path: <benson_muite@emailplus.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53A3FC151531 for <cfrg@ietfa.amsl.com>; Sun, 25 Aug 2024 21:21:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.162
X-Spam-Level:
X-Spam-Status: No, score=-2.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, NICE_REPLY_A=-0.355, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emailplus.org header.b="ccHvdsQY"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Xh0P+kQd"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7UgJ9NfDCIQ for <cfrg@ietfa.amsl.com>; Sun, 25 Aug 2024 21:21:33 -0700 (PDT)
Received: from fhigh4-smtp.messagingengine.com (fhigh4-smtp.messagingengine.com [103.168.172.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46EC4C14CEFE for <cfrg@irtf.org>; Sun, 25 Aug 2024 21:21:33 -0700 (PDT)
Received: from phl-compute-04.internal (phl-compute-04.nyi.internal [10.202.2.44]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 6374E1151A90; Mon, 26 Aug 2024 00:21:32 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-04.internal (MEProxy); Mon, 26 Aug 2024 00:21:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emailplus.org; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm1; t=1724646092; x=1724732492; bh=yv62loJhuKlBoBJbKpivca+1SWFQBCfu EygM07Aplfo=; b=ccHvdsQYLVpLsPnhPfT+al0Dt2/gfMB4vs03uZjL38idOLQJ dOUCkl+GP0bb8WNX+p7/owjUXhL4nfd1umxctMWAIdS1Su45oPh1Nk4Fpt6JVZHX HSwPTy7QIJFZp4xScwI6gxH07mAwbb990KcTw4zYsAlzlXWXCPxE/c99nUd/T6JQ xxH7PpMYSeYSD5Deg4Qrv3F+yenBjs34uu4PU4pBNJYzZLIMRHVGy+XslfprYcFb doVybVveJfU7XHdfald5lOBEkhLi+J0RcpTsglKByN93dKFqDPLmulLtZC1ahEIv +dz6u7Fh0rTc16lvXVSUeCH2og2ch/OSaUMNOw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1724646092; x= 1724732492; bh=yv62loJhuKlBoBJbKpivca+1SWFQBCfuEygM07Aplfo=; b=X h0P+kQd17yyY2eo6M+NXFhp+t9GUDrQbKvOikmP+l9UeQ5SveN58RXVSvfECPJjz 87AOrJKM+VnJHEM36kTF6J9Ki+oeN1pl+SuH/TWWEluxPYcFGvcZ6AE3vqXab4aU 7HzfWhote7IRWosP3vuq3DzQGllyqyujCEamPTd/xOx74VbKTg9LYaFq8SNOIedH ztsh/v74Q/KN1mo8llnkA7qUDukWKztR2YKvkVi8ZfI4bwCYeuzzacLjGSFdxSi3 GAM8whORmK5uok+e/D3wH6jAIllT+mhdSJYt0PP4UeZhXgkYgsori+gzK9o3+9Vr w3ljEpg4sMnOo60BMrZ+Q==
X-ME-Sender: <xms:ywLMZrN8Lk7nnBBvDDbpHmB_DkdR9eBw7Aia-prXb9aX0beZ3PvQnQ> <xme:ywLMZl8GzoTZ5wl10HsHmtaq6oOCeeSmxLLm_iMdsKubrsTq9ICucKb4wtTPv7mm3 N7ANo6FQ3l7Nids>
X-ME-Received: <xmr:ywLMZqRoZt7kf_etP05UsfyOSQfhm8mZOujdykfd1fBZbvaeklSzUtxliNnfGKQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddruddvjedgkeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfg fvfhfhvefujggtgfesthekredttdefjeenucfhrhhomhepuegvnhhsohhnucfouhhithgv uceosggvnhhsohhnpghmuhhithgvsegvmhgrihhlphhluhhsrdhorhhgqeenucggtffrrg htthgvrhhnpeeuffeffeehieduvedvheeggeffheektdekhfeiledttdejgeelffefueel fedtteenucffohhmrghinhepihgvthhfrdhorhhgpdhrfhgtqdgvughithhorhdrohhrgh dpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomhepsggvnhhsohhnpghmuhhithgvsegvmhgrihhlphhluhhsrdhorhhgpd hnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegvkhhr sehrthhfmhdrtghomhdprhgtphhtthhopegtfhhrghesihhrthhfrdhorhhg
X-ME-Proxy: <xmx:zALMZvtRsacDoTtzCkmS-x_Sr4OEnsncyJMRblANW8kRPlbAdjvVAg> <xmx:zALMZjcuzy-DtDJ3wRokOcub44oA6UAfSXv59KmkaRZ-XMsZlt8Asg> <xmx:zALMZr2zVkw1Ptyt8Q7JOik-Qq-OUuA7Z_fT6vIiW9bdM3xXGgTMfA> <xmx:zALMZv_mP3Fy11XoyBZFf4COUjVna-tSxRvx7qLtT8uz1B5b8svjiw> <xmx:zALMZkorJ2uzMeNxQB9UyH-0W5xZ75tkkwFXHs8aRlvtd6uaHrEpa9I6>
Feedback-ID: ic1e8415a:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 26 Aug 2024 00:21:30 -0400 (EDT)
Message-ID: <70edf10c-50c3-098b-6e58-f9338234ed65@emailplus.org>
Date: Mon, 26 Aug 2024 07:21:26 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
To: Eric Rescorla <ekr@rtfm.com>
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com> <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com> <CABcZeBN4jxHB6YOUc5ANTZjc0jxd5aSZ-G_A+qe9-ze0YT3+UA@mail.gmail.com> <ec9e57f6-9daa-2edf-71bd-0b548c403182@emailplus.org> <CABcZeBPKWu35akwrBpK2XBTmjxZ7x8O12zDt4LmgV3wrYgCpyA@mail.gmail.com>
Content-Language: en-US
From: Benson Muite <benson_muite@emailplus.org>
In-Reply-To: <CABcZeBPKWu35akwrBpK2XBTmjxZ7x8O12zDt4LmgV3wrYgCpyA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: CXKBAUQZDKGACHAAQO4JQOUX7JSUYEGB
X-Message-ID-Hash: CXKBAUQZDKGACHAAQO4JQOUX7JSUYEGB
X-MailFrom: benson_muite@emailplus.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@irtf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IWzn5GSlZ7mz5nygY_yCX8U0u_4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On 24/08/2024 20.29, Eric Rescorla wrote:
> 
> 
> On Fri, Aug 23, 2024 at 11:56 PM Benson Muite
> <benson_muite@emailplus.org <mailto:benson_muite@emailplus.org>> wrote:
> 
>     On 22/08/2024 05.20, Eric Rescorla wrote:
>     > I don't actually think the question of how much an algorithm is
>     used in
>     > the wild is that relevant to the question of adoption. The more
>     relevant
>     > question is whether there are IETF groups who want to use a given
>     > algorithm, because that is where CFRG should focus its limited
>     resources.
>     >
> 
>     RFC 7693 [1] documents Blake 2.  Blake 3 is an improved version of this,
>     so is worth reviewing. Blake 2 was done through the independent
>     submission stream [2], rather than through a research or working group.
> 
>     1) https://datatracker.ietf.org/doc/html/rfc7693
>     <https://datatracker.ietf.org/doc/html/rfc7693>
>     2) https://www.rfc-editor.org/about/independent/
>     <https://www.rfc-editor.org/about/independent/>
> 
> 
> I don't think this follows at all. There are lots of things in the
> Independent Stream

Just indicating that the independent stream is another option.  Possible
users of BLAKE3 might however be willing to review it through other options.

> I wouldn't want to see CFRG spend effort on, for instance the GOST
> algorithms.

Many of the references to BLAKE2 have come from CFRG. Nevertheless,
neither BLAKE2 nor BLAKE3 are designed as cryptographically secure hash
functions, so it might not be a good fit for CFRG. Nevertheless, BLAKE2
is used in Argon which has an RFC9106 produced by CFRG, so may be of
interest to CFRG.  BLAKE2 is also used in Babel, so BLAKE3 might also be
of interest to the Babel working group.

https://datatracker.ietf.org/doc/rfc9106/
https://datatracker.ietf.org/wg/babel/about/

> 
> -Ekr
> 
> 
> 
>     > -Ekr
>     >
>     >
>     > On Wed, Aug 21, 2024 at 9:51 AM Chris Barber
>     <cbarbernash@gmail.com <mailto:cbarbernash@gmail.com>
>     > <mailto:cbarbernash@gmail.com <mailto:cbarbernash@gmail.com>>> wrote:
>     >
>     >     Dear Chris,
>     >
>     >     You are comparing specific implementations on a particular
>     CPU, not
>     >     the algorithms themselves. The "sha3" library you are using is not
>     >     optimized and may not accurately reflect the performance of
>     >     TurboSHAKE compared to, for example, XKCP. In software, the
>     >     performance of BLAKE3 and TurboSHAKE/KT12 is theoretically very
>     >     close but highly dependent on the implementation in practice.
>     >
>     >     Since this discussion is about adoption, I believe it would be
>     more
>     >     relevant to compare the algorithms themselves. What properties
>     does
>     >     BLAKE3 have that TurboSHAKE doesn't? "it's already used a lot
>     in the
>     >     wild" can be sufficient to justify a specification.
>     >
>     >
>     >     On Thu, Aug 15, 2024 at 11:07 PM Christopher Patton
>     >     <cpatton=40cloudflare.com@dmarc.ietf.org
>     <mailto:40cloudflare.com@dmarc.ietf.org>
>     >     <mailto:40cloudflare.com@dmarc.ietf.org
>     <mailto:40cloudflare.com@dmarc.ietf.org>>> wrote:
>     >
>     >         Hi all,
>     >
>     >         Before adopting BLAKE3, I think it would be useful to see how
>     >         much of a difference it would make in our applications. I
>     would
>     >         suggest looking through RFCs published by CFRG and assess how
>     >         performance would change if they could have used BLAKE3.
>     Off the
>     >         top of my head:
>     >         - RFC 9180 - HPKE (replace HKDF?)
>     >         - draft-irtf-cfrg-opaque - OPAQUE
>     >         - RFC 9380 - hashing to elliptic curves
>     >
>     >         I'll add my own data point: draft-irtf-cfrg-vdaf. This draft
>     >         specifies an incremental distributed point function (IDPF), a
>     >         type of function secret sharing used in some MPC
>     protocols. Most
>     >         of the computation is spent on XOF evaluation. For performance
>     >         reasons, we try to use AES wherever we can in order to get
>     >         hardware support. We end up with a mix of TurboSHAKE128
>     and AES,
>     >         which is not ideal. It would be much nicer if we could
>     afford to
>     >         use a dedicated XOF, but TurboSHAKE128 is not fast enough in
>     >         software. I threw together some benchmarks for B3:
>     >       
>      https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 <https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1> <https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 <https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1>>
>     >
>     >         The results were interesting. Compared to Turbo, B3 is 30%
>     >         faster, as expected. Compared to the baseline (mix of
>     Turbo and
>     >         AES), B3 is 2-3x slower for the client operation, as expected;
>     >         but the server was slightly faster, which frankly is a bit
>     of a
>     >         mystery. We'll need to dig into the code more to be
>     certain, as
>     >         there may be some obvious inefficiencies on the client
>     side. But
>     >         preliminarily, I would say B3 is probably too slow in software
>     >         for this application.
>     >
>     >         Chris P.
>     >
>     >