Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
Benoît Viguier <b.viguier@cs.ru.nl> Thu, 20 February 2020 11:37 UTC
Return-Path: <b.viguier@cs.ru.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C9412087C for <cfrg@ietfa.amsl.com>; Thu, 20 Feb 2020 03:37:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9w7V2iVkqbZj for <cfrg@ietfa.amsl.com>; Thu, 20 Feb 2020 03:37:07 -0800 (PST)
Received: from smtp3.science.ru.nl (smtp3.science.ru.nl [131.174.30.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E51120883 for <cfrg@irtf.org>; Thu, 20 Feb 2020 03:37:06 -0800 (PST)
Received: from [145.116.135.12] (ip-145-116-135-12.wlan-int.ru.nl [145.116.135.12]) (authen=benoit) by smtp3.science.ru.nl (8.15.2/5.32) with ESMTPSA id 01KBb4gP001691; Thu, 20 Feb 2020 12:37:04 +0100
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, cfrg@irtf.org
References: <DF952AED-7578-47B8-B42F-F6A18A927C31@isode.com> <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie> <d3e393fd-16b7-9b74-56ce-97e2f8032709@cs.ru.nl> <ab214d52-3405-4aeb-89b4-006a743fbad3@cs.tcd.ie>
From: Benoît Viguier <b.viguier@cs.ru.nl>
Message-ID: <993cfbc3-9c36-028b-91f4-166f60f3e0b1@cs.ru.nl>
Date: Thu, 20 Feb 2020 12:37:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <ab214d52-3405-4aeb-89b4-006a743fbad3@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/M2KQwgzoYV9zpDHRsZBHKZ0cG0Q>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 11:37:15 -0000
Hi Stephen, To answer your question: Yep, I had a quick look and didn't find what I thought I was remembering;-) It may be that what I was thinking about was HKDF (RFC 5869), so let me ask it that way: is there a clear benefit in using k12 instead of using HKDF to get the output length wanted? If there is, and it's possible to state that in a short paragraph, that might be a useful addition. (While HKDF doesn't have arbitrary output length, it can produce long enough outputs for many uses I guess.) ------------------------------------------------------------------------- K12 has the merit of being a simpler construction and can be used in place of HKDF. In the scope of IoT or embedded devices, another advantage of K12 when its input contains a key is that it is easier to protect against DPA than SHA-1 or SHA-2. Kind Regards On 2/18/20 4:18 PM, Stephen Farrell wrote: > Hiya, > > Coupla follow ups below... > > On 18/02/2020 14:45, Benoît Viguier wrote: >> Dear Stephen, >> >> Thank you for your comments on our draft! >> >> Please find below some answers and comments. >> >> On 2/16/20 3:53 PM, Stephen Farrell wrote: >>> Hiya, >>> >>> On 16/02/2020 11:16, Alexey Melnikov wrote: >>>> Dear CFRG participants, >>>> >>>> This message is starting 2 weeks RGLC on >>>> draft-irtf-cfrg-kangarootwelve-01 ("KangarooTwelve"), that will end >>>> on March 1st 2020. If you've read the document and think that it is >>>> ready (or not ready) for publication as an RFC, please send a message >>>> in reply to this email or directly to CFRG chairs >>>> (cfrg-chairs@ietf.org). If you have detailed comments, these would >>>> also be very helpful at this point. >>> I had my 1st read of this and think it needs a bit of >>> work, but am overall unclear if it ought be published >>> now. (I also looked back at the list archive messages >>> referring to k12.) >>> >>> I don't think CFRG ought be publishing very novel >>> algorithm RFCs and am unclear how much study k12 has >>> gotten outside the author team. The main reference >>> given [1] has pointers to lots of work with titles that >>> mention reduced-round keccak but it's unclear (to me, >>> not having read 'em;-) how relevant those are to k12. >> Actually, all cryptanalysis of Keccak/SHA-3 is relevant to K12. >> Cryptanalysis resources are scarce, we chose as an explicit design goal >> to make K12 rely on cryptanalysis of Keccak/SHA-3. >> >> To be more precise, K12 is made of two layers: >> >> 1) The inner function F. This layer relies on cryptanalysis. K12's F >> function is exactly Keccak[r=1344, c=256] (as in SHAKE128) reduced to 12 >> rounds (no tweaks!). Hence, any reduced-round cryptanalysis on Keccak is >> also a reduced round cryptanalysis of K12's F (provided the number of >> rounds attacked is not higher than 12 of course). >> >> 2) The tree hashing over F. This layer is a mode on top of F that does >> not introduce any vulnerability thanks to the use of Sakura coding >> proven secure in the paper [Bertoni et al., ACNS 2014]. >> >> This reasoning is detailed and formalized in the paper [Bertoni et al., >> ACNS 2018], which is peer-reviewed. > Thanks. It sounds like referring to that section > of that paper would help so. (Your explanation there > helped me fwiw.) > >>> [1] is also used as [KECCAK_CRYPTANALYSIS] in the draft >>> and is where the authors are pointing us to find >>> security analysis of k12. I don't think an author- >>> maintained web page like that is really good enough >>> as the key reference for an RFC like this. >> Good point indeed! >> >> One option would be that we put all the references in the RFC. We are >> not sure this is the right place for it, as we see an RFC more as >> implementation guide rather than an analysis paper. For example: >> https://tools.ietf.org/html/rfc7748 does not mention anything with >> respect to the security of X25519 which is detailed in section 3 of >> https://www.iacr.org/cryptodb/archive/2006/PKC/3351/3351.pdf. >> Nevertheless, we are open to this option. >> >> Another option would be to refer to [K12, Section 5]. In that section >> attacks with the highest number of rounds are discussed and >> corresponding paper are referred to. > Yep, that sounds good to me. > >> However with the possible >> appearance of new cryptanalysis results, this section would become outdated. > Just to be clear - including the URL as an additional > reference as well seems like a good idea. It's only > depending on that as the main source that seems a bit > iffy. > >>> I totally get why the authors would find that >>> easier/better, but that won't be true for a reader in >>> 20 years time, so better to put in the precise >>> references now. That should also clarify the extent to >>> which those are about k12 (as defined here) and not >>> about something else. >> We agree with this, however Keccak cryptanalysis directly applies to K12. >>> I think the references really need fixing before this >>> ought be published. I'm not sure where the right line >>> ought be drawn in terms of maturity of an algorithm >>> before CFRG blesses it with an RFC. <4 years does seem >>> short, even if this is strongly based on keccak. (Hence >>> me being unsure overall.) >> For us the maturity amounts to more than 4 years. Being SHA-3, Keccak is >> a high-profile cryptanalysis target. As we did not tweak the round >> function, K12 relies on sustained cryptanalysis since 2008. > Ack. If nobody's gotten near breaking 12 rounds and > since you didn't tweak it, that does sound convincing > to me. Thanks. > >>> Separately, the draft could benefit from some guidance >>> as to when this is thought to be useful - presumably >>> that's when one wants a hash output that's >512 bits. >>> IIRC, there are other RFCs (forget numbers, sorry), >>> that describe how to get such outputs using standard >>> hash functions. If there are such RFCs, it'd be good >>> to reference those. Either way saying why and when this >>> is preferable to use of standard hash functions would >>> be good. >> The standard hash functions (SHA-1 and SHA-2) are subject to length >> extension attacks. > Yep, I had a quick look and didn't find what I thought > I was remembering;-) It may be that what I was thinking > about was HKDF (RFC 5869), so let me ask it that way: > is there a clear benefit in using k12 instead of using > HKDF to get the output length wanted? If there is, and > it's possible to state that in a short paragraph, that > might be a useful addition. (While HKDF doesn't have > arbitrary output length, it can produce long enough > outputs for many uses I guess.) > > Cheers, > S. > > >> And in all cases, K12 will be faster than SHA-3. If >> that makes it clearer, we could add a short guidance as to when the user >> can benefit the most from K12. We could simply reuse the arguments from >> these slides: https://benoit.viguier.nl/files/K12atMontreal.pdf >>> Other than the above, the draft seems clear (though >>> I didn't try implement) and many thanks for not >>> defining the usual pile of pointless variants/options:-) >> Thanks, yes, that was another design goal for K12. >> -- Benoît Viguier Software Engineer - PhD Student | Cryptography & Formal Methods Radboud University | Mercator 1, Toernooiveld 212 6525 EC Nijmegen, the Netherlands | www.viguier.nl
- [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01 Alexey Melnikov
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Dan Brown
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Gilles Van Assche