[CFRG] Re: BLAKE3 I-D

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 26 August 2024 16:18 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D43CC14F6FD for <cfrg@ietfa.amsl.com>; Mon, 26 Aug 2024 09:18:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmFogUIUeQdM for <cfrg@ietfa.amsl.com>; Mon, 26 Aug 2024 09:18:54 -0700 (PDT)
Received: from mail-oa1-f47.google.com (mail-oa1-f47.google.com [209.85.160.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2140C151094 for <cfrg@irtf.org>; Mon, 26 Aug 2024 09:18:54 -0700 (PDT)
Received: by mail-oa1-f47.google.com with SMTP id 586e51a60fabf-27010ae9815so3487870fac.2 for <cfrg@irtf.org>; Mon, 26 Aug 2024 09:18:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724689134; x=1725293934; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WSeV4ZNYN+wP2scbkKcxhf4nAgZdjmbJPao4i7WcfDU=; b=Fe9IXk3uZoJgctlIE+fk8Snm5aFcBbA71Nq+Km3gXmDk/JbhKsNAmpwGArQY3ZJiyg rJVZnWbOCYCvnWrr6vLRrFia4GMZjZRL2z3Qap24TG4qpPaMv//B/r2inK/yNsb+zscC ihwvWoCGcOPqbwZVss0NPSYAgfyYXVosLiG06FFVF6/VO5wft5d5xXHV2zZ0wKJshWmb 2akqn4schfTn9piPo+CLMXbbpdDeoWIOaC901cUhzJIEhZI0/xggDGgoF3hgEwWqMQBO 1+EQ9g2FOhDTUUu1+ogCdY7vcLC9473mBK+UjYOa06kaS2taq36rXvbia4d06ysrJ1d6 EKhg==
X-Forwarded-Encrypted: i=1; AJvYcCWNePXWo1VgyZ228+i68hPLB5HghlqEuTwziXEMWiGjfdcMZsPXBA9czDKynNnoSWAFVp7O@irtf.org
X-Gm-Message-State: AOJu0Yy++vsVblosaaJLPfIr5FFx23Dezvh8hfm6C0hID6QWEXMJ5S7W K262BoK8kTDiBX7egWpLzBKUNbJwSdZm1AcSLH/0zQ8HViL/k69+o/ash0Hdh96H/Sc4fYc9QSF n5N1quTBY+jwm1W4i3NwxLaYti9s=
X-Google-Smtp-Source: AGHT+IGWyvHR0Pgp00me4N7vHMqtakg/1vswV9OZop8I6AsHm0slHBYbqdeQLJpapkgKy+AfFIEPn2+VXVm8weSu3fw=
X-Received: by 2002:a05:6871:582b:b0:270:172c:32ae with SMTP id 586e51a60fabf-273e667e5a8mr11907751fac.32.1724689133761; Mon, 26 Aug 2024 09:18:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com> <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com> <CABcZeBN4jxHB6YOUc5ANTZjc0jxd5aSZ-G_A+qe9-ze0YT3+UA@mail.gmail.com> <ec9e57f6-9daa-2edf-71bd-0b548c403182@emailplus.org> <CABcZeBPKWu35akwrBpK2XBTmjxZ7x8O12zDt4LmgV3wrYgCpyA@mail.gmail.com>
In-Reply-To: <CABcZeBPKWu35akwrBpK2XBTmjxZ7x8O12zDt4LmgV3wrYgCpyA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 26 Aug 2024 12:18:41 -0400
Message-ID: <CAMm+Lwj6jFaZ6sYVmC4eW_m7Ttw_jAZ5td6beWFVburzY_2_2g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="0000000000002a803c0620987b46"
Message-ID-Hash: 4OPXAST6BVY52Q4GZPQMB344YRV33GEU
X-Message-ID-Hash: 4OPXAST6BVY52Q4GZPQMB344YRV33GEU
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@irtf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KTQFxZ8OaSURNcdE0voSyad92AU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

+1 EKR

Sort of. I think he understates the case.

IETF doesn't select algorithms on its own, it is a part of the wider
industry and the primary means by which IETF chooses algorithms is by
public competition sponsored by a major stakeholder. To date, that
stakeholder has been NIST for historical reasons, UK doesn't put its
country on its stamps because Rowland Hill and NIST holds cryptographic
algorithm competitions. But if NIST stopped doing that, we would find or
build an alternative.

We had a public competition for digest algorithms not so long ago. The
Blake proposals were not selected. The outcome of the competition was that
we came to the conclusion SHA-2 is actually fit for purpose but came up
with SHA-3 as an alternative. We thus have two digest algorithms that we
have a high degree of confidence in. I don't see a need for a Blake 3.
Applications using Blake 2 can simply transition to SHA-2 + SHA-3.

CFRG is chartered for "discussing and reviewing uses of cryptographic
mechanisms, both for network security in general and for the IETF in
particular." I don't see adding a third digest as helping either cause.

The security of any application is determined by the weakest algorithm it
accepts. There is a good argument for having a backup algorithm but having
more than one backup seems more likely to hurt than help. At the very least
it means having to spend time and effort tracking an additional random
variable.

Even if people are nervous about SHA-2, we can always use SHA-2-512. In a
world where we are having to implement PQC algorithms, I can't really see
an argument for using SHA-2-256 any more. Just use 512 bits and be done,
the chance of 512 bits being broken at the same time as 256 is not zero but
it means all bets are off. That is not an eventuality it makes sense to
plan for because if that falls, nothing we know today can be relied on.

CFRG is chartered for "discussing and reviewing uses of cryptographic
mechanisms, both for network security in general and for the IETF in
particular."





On Sat, Aug 24, 2024 at 1:30 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Fri, Aug 23, 2024 at 11:56 PM Benson Muite <benson_muite@emailplus.org>
> wrote:
>
>> On 22/08/2024 05.20, Eric Rescorla wrote:
>> > I don't actually think the question of how much an algorithm is used in
>> > the wild is that relevant to the question of adoption. The more relevant
>> > question is whether there are IETF groups who want to use a given
>> > algorithm, because that is where CFRG should focus its limited
>> resources.
>> >
>>
>> RFC 7693 [1] documents Blake 2.  Blake 3 is an improved version of this,
>> so is worth reviewing. Blake 2 was done through the independent
>> submission stream [2], rather than through a research or working group.
>>
>> 1) https://datatracker.ietf.org/doc/html/rfc7693
>> 2) https://www.rfc-editor.org/about/independent/
>
>
> I don't think this follows at all. There are lots of things in the
> Independent Stream
> I wouldn't want to see CFRG spend effort on, for instance the GOST
> algorithms.
>
> -Ekr
>
>
>>
>> > -Ekr
>> >
>> >
>> > On Wed, Aug 21, 2024 at 9:51 AM Chris Barber <cbarbernash@gmail.com
>> > <mailto:cbarbernash@gmail.com>> wrote:
>> >
>> >     Dear Chris,
>> >
>> >     You are comparing specific implementations on a particular CPU, not
>> >     the algorithms themselves. The "sha3" library you are using is not
>> >     optimized and may not accurately reflect the performance of
>> >     TurboSHAKE compared to, for example, XKCP. In software, the
>> >     performance of BLAKE3 and TurboSHAKE/KT12 is theoretically very
>> >     close but highly dependent on the implementation in practice.
>> >
>> >     Since this discussion is about adoption, I believe it would be more
>> >     relevant to compare the algorithms themselves. What properties does
>> >     BLAKE3 have that TurboSHAKE doesn't? "it's already used a lot in the
>> >     wild" can be sufficient to justify a specification.
>> >
>> >
>> >     On Thu, Aug 15, 2024 at 11:07 PM Christopher Patton
>> >     <cpatton=40cloudflare.com@dmarc.ietf.org
>> >     <mailto:40cloudflare.com@dmarc.ietf.org>> wrote:
>> >
>> >         Hi all,
>> >
>> >         Before adopting BLAKE3, I think it would be useful to see how
>> >         much of a difference it would make in our applications. I would
>> >         suggest looking through RFCs published by CFRG and assess how
>> >         performance would change if they could have used BLAKE3. Off the
>> >         top of my head:
>> >         - RFC 9180 - HPKE (replace HKDF?)
>> >         - draft-irtf-cfrg-opaque - OPAQUE
>> >         - RFC 9380 - hashing to elliptic curves
>> >
>> >         I'll add my own data point: draft-irtf-cfrg-vdaf. This draft
>> >         specifies an incremental distributed point function (IDPF), a
>> >         type of function secret sharing used in some MPC protocols. Most
>> >         of the computation is spent on XOF evaluation. For performance
>> >         reasons, we try to use AES wherever we can in order to get
>> >         hardware support. We end up with a mix of TurboSHAKE128 and AES,
>> >         which is not ideal. It would be much nicer if we could afford to
>> >         use a dedicated XOF, but TurboSHAKE128 is not fast enough in
>> >         software. I threw together some benchmarks for B3:
>> >
>> https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1
>> <
>> https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1
>> >
>> >
>> >         The results were interesting. Compared to Turbo, B3 is 30%
>> >         faster, as expected. Compared to the baseline (mix of Turbo and
>> >         AES), B3 is 2-3x slower for the client operation, as expected;
>> >         but the server was slightly faster, which frankly is a bit of a
>> >         mystery. We'll need to dig into the code more to be certain, as
>> >         there may be some obvious inefficiencies on the client side. But
>> >         preliminarily, I would say B3 is probably too slow in software
>> >         for this application.
>> >
>> >         Chris P.
>> >
>> >
>> >
>> >
>> >         _______________________________________________
>> >         CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>> >         To unsubscribe send an email to cfrg-leave@irtf.org
>> >         <mailto:cfrg-leave@irtf.org>
>> >
>> >     _______________________________________________
>> >     CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>> >     To unsubscribe send an email to cfrg-leave@irtf.org
>> >     <mailto:cfrg-leave@irtf.org>
>> >
>> >
>> > _______________________________________________
>> > CFRG mailing list -- cfrg@irtf.org
>> > To unsubscribe send an email to cfrg-leave@irtf.org
>>
>> _______________________________________________
>> CFRG mailing list -- cfrg@irtf.org
>> To unsubscribe send an email to cfrg-leave@irtf.org
>>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org
>