Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01

Benoît Viguier <b.viguier@cs.ru.nl> Thu, 20 February 2020 11:37 UTC

Return-Path: <b.viguier@cs.ru.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C9412087C for <cfrg@ietfa.amsl.com>; Thu, 20 Feb 2020 03:37:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9w7V2iVkqbZj for <cfrg@ietfa.amsl.com>; Thu, 20 Feb 2020 03:37:07 -0800 (PST)
Received: from smtp3.science.ru.nl (smtp3.science.ru.nl [131.174.30.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E51120883 for <cfrg@irtf.org>; Thu, 20 Feb 2020 03:37:06 -0800 (PST)
Received: from [145.116.135.12] (ip-145-116-135-12.wlan-int.ru.nl [145.116.135.12]) (authen=benoit) by smtp3.science.ru.nl (8.15.2/5.32) with ESMTPSA id 01KBb4gP001691; Thu, 20 Feb 2020 12:37:04 +0100
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, cfrg@irtf.org
References: <DF952AED-7578-47B8-B42F-F6A18A927C31@isode.com> <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie> <d3e393fd-16b7-9b74-56ce-97e2f8032709@cs.ru.nl> <ab214d52-3405-4aeb-89b4-006a743fbad3@cs.tcd.ie>
From: =?UTF-8?Q?Beno=c3=aet_Viguier?= <b.viguier@cs.ru.nl>
Message-ID: <993cfbc3-9c36-028b-91f4-166f60f3e0b1@cs.ru.nl>
Date: Thu, 20 Feb 2020 12:37:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <ab214d52-3405-4aeb-89b4-006a743fbad3@cs.tcd.ie>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/M2KQwgzoYV9zpDHRsZBHKZ0cG0Q>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 11:37:15 -0000

Hi Stephen,

To answer your question:

Yep, I had a quick look and didn't find what I thought
I was remembering;-) It may be that what I was thinking
about was HKDF (RFC 5869), so let me ask it that way:
is there a clear benefit in using k12 instead of using
HKDF to get the output length wanted? If there is, and
it's possible to state that in a short paragraph, that
might be a useful addition. (While HKDF doesn't have
arbitrary output length, it can produce long enough
outputs for many uses I guess.)

-------------------------------------------------------------------------

K12 has the merit of being a simpler construction and can be used in
place of HKDF.

In the scope of IoT or embedded devices, another advantage of K12 when
its input contains a key is that it is easier to protect against DPA
than SHA-1 or SHA-2.

Kind Regards

On 2/18/20 4:18 PM, Stephen Farrell wrote:
> Hiya,
>
> Coupla follow ups below...
>
> On 18/02/2020 14:45, Benoît Viguier wrote:
>> Dear Stephen,
>>
>> Thank you for your comments on our draft!
>>
>> Please find below some answers and comments.
>>
>> On 2/16/20 3:53 PM, Stephen Farrell wrote:
>>> Hiya,
>>>
>>> On 16/02/2020 11:16, Alexey Melnikov wrote:
>>>> Dear CFRG participants,
>>>>
>>>> This message is starting 2 weeks RGLC on
>>>> draft-irtf-cfrg-kangarootwelve-01 ("KangarooTwelve"), that will end
>>>> on March 1st 2020. If you've read the document and think that it is
>>>> ready (or not ready) for publication as an RFC, please send a message
>>>> in reply to this email or directly to CFRG chairs
>>>> (cfrg-chairs@ietf.org). If you have detailed comments, these would
>>>> also be very helpful at this point.
>>> I had my 1st read of this and think it needs a bit of
>>> work, but am overall unclear if it ought be published
>>> now. (I also looked back at the list archive messages
>>> referring to k12.)
>>>
>>> I don't think CFRG ought be publishing very novel
>>> algorithm RFCs and am unclear how much study k12 has
>>> gotten outside the author team. The main reference
>>> given [1] has pointers to lots of work with titles that
>>> mention reduced-round keccak but it's unclear (to me,
>>> not having read 'em;-) how  relevant those are to k12.
>> Actually, all cryptanalysis of Keccak/SHA-3 is relevant to K12.
>> Cryptanalysis resources are scarce, we chose as an explicit design goal
>> to make K12 rely on cryptanalysis of Keccak/SHA-3.
>>
>> To be more precise, K12 is made of two layers:
>>
>> 1) The inner function F. This layer relies on cryptanalysis. K12's F
>> function is exactly Keccak[r=1344, c=256] (as in SHAKE128) reduced to 12
>> rounds (no tweaks!). Hence, any reduced-round cryptanalysis on Keccak is
>> also a reduced round cryptanalysis of K12's F (provided the number of
>> rounds attacked is not higher than 12 of course).
>>
>> 2) The tree hashing over F. This layer is a mode on top of F that does
>> not introduce any vulnerability thanks to the use of Sakura coding
>> proven secure in the paper [Bertoni et al., ACNS 2014].
>>
>> This reasoning is detailed and formalized in the paper [Bertoni et al.,
>> ACNS 2018], which is peer-reviewed.
> Thanks. It sounds like referring to that section
> of that paper would help so. (Your explanation there
> helped me fwiw.)
>
>>> [1] is also used as [KECCAK_CRYPTANALYSIS] in the draft
>>> and is where the authors are pointing us to find
>>> security analysis of k12. I don't think an author-
>>> maintained web page like that is really good enough
>>> as the key reference for an RFC like this.
>> Good point indeed!
>>
>> One option would be that we put all the references in the RFC. We are
>> not sure this is the right place for it, as we see an RFC more as
>> implementation guide rather than an analysis paper. For example:
>> https://tools.ietf.org/html/rfc7748 does not mention anything with
>> respect to the security of X25519 which is detailed in section 3 of
>> https://www.iacr.org/cryptodb/archive/2006/PKC/3351/3351.pdf.
>> Nevertheless, we are open to this option.
>>
>> Another option would be to refer to [K12, Section 5]. In that section
>> attacks with the highest number of rounds are discussed and
>> corresponding paper are referred to. 
> Yep, that sounds good to me.
>
>> However with the possible
>> appearance of new cryptanalysis results, this section would become outdated.
> Just to be clear - including the URL as an additional
> reference as well seems like a good idea. It's only
> depending on that as the main source that seems a bit
> iffy.
>
>>> I totally get why the authors would find that
>>> easier/better, but that won't be true for a reader in
>>> 20 years time, so better to put in the precise
>>> references now. That should also clarify the extent to
>>> which those are about k12 (as defined here) and not
>>> about something else.
>> We agree with this, however Keccak cryptanalysis directly applies to K12.
>>> I think the references really need fixing before this
>>> ought be published. I'm not sure where the right line
>>> ought be drawn in terms of maturity of an algorithm
>>> before CFRG blesses it with an RFC. <4 years does seem
>>> short, even if this is strongly based on keccak. (Hence
>>> me being unsure overall.)
>> For us the maturity amounts to more than 4 years. Being SHA-3, Keccak is
>> a high-profile cryptanalysis target. As we did not tweak the round
>> function, K12 relies on sustained cryptanalysis since 2008.
> Ack. If nobody's gotten near breaking 12 rounds and
> since you didn't tweak it, that does sound convincing
> to me. Thanks.
>
>>> Separately, the draft could benefit from some guidance
>>> as to when this is thought to be useful - presumably
>>> that's when one wants a hash output that's >512 bits.
>>> IIRC, there are other RFCs (forget numbers, sorry),
>>> that describe how to get such outputs using standard
>>> hash functions. If there are such RFCs, it'd be good
>>> to reference those. Either way saying why and when this
>>> is preferable to use of standard hash functions would
>>> be good.
>> The standard hash functions (SHA-1 and SHA-2) are subject to length
>> extension attacks.
> Yep, I had a quick look and didn't find what I thought
> I was remembering;-) It may be that what I was thinking
> about was HKDF (RFC 5869), so let me ask it that way:
> is there a clear benefit in using k12 instead of using
> HKDF to get the output length wanted? If there is, and
> it's possible to state that in a short paragraph, that
> might be a useful addition. (While HKDF doesn't have
> arbitrary output length, it can produce long enough
> outputs for many uses I guess.)
>
> Cheers,
> S.
>
>
>> And in all cases, K12 will be faster than SHA-3. If
>> that makes it clearer, we could add a short guidance as to when the user
>> can benefit the most from K12. We could simply reuse the arguments from
>> these slides: https://benoit.viguier.nl/files/K12atMontreal.pdf
>>> Other than the above, the draft seems clear (though
>>> I didn't try implement) and many thanks for not
>>> defining the usual pile of pointless variants/options:-)
>> Thanks, yes, that was another design goal for K12.
>>
-- 
Benoît Viguier
Software Engineer - PhD Student | Cryptography & Formal Methods
Radboud University | Mercator 1, Toernooiveld 212
6525 EC Nijmegen, the Netherlands | www.viguier.nl