[CFRG] Re: BLAKE3 I-D
Eric Rescorla <ekr@rtfm.com> Thu, 22 August 2024 02:20 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0A5C180B53 for <cfrg@ietfa.amsl.com>; Wed, 21 Aug 2024 19:20:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCaHSUcKe8z2 for <cfrg@ietfa.amsl.com>; Wed, 21 Aug 2024 19:20:42 -0700 (PDT)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D9C8C137362 for <cfrg@ietf.org>; Wed, 21 Aug 2024 19:20:42 -0700 (PDT)
Received: by mail-yb1-xb2d.google.com with SMTP id 3f1490d57ef6-e1633202008so362880276.2 for <cfrg@ietf.org>; Wed, 21 Aug 2024 19:20:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1724293241; x=1724898041; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=r4r793gdniuXMTZwslsM1fzraPvXZR3T91ooXbJziic=; b=wHOVZZokMVFHnkJotF0BMtC0DfYMl8fVJd9ezpaGrgmc5J9LsydefyVYDVt2PWPLq5 rPGUljqhULh8yP4a0nrY4NZCyffsTytqJKjutCv/kJr7AAo49uK8Rcm8AHl5J+mwdgut 9Eoxp0giNM9Jf9xL2OKGPDamTE7cw/NfeWxucVIjuT8AQM673Tz5goVaaKV/PsNrXgMG C0J07VxvwpYB5w/KxGAvqhRPuQggfWZQzLKNgzGlb1a68OBOOyiAW3soekBjIKpuqG9e UNfH+1Ua2dnHmadbq2+H/nwjyLacFwGI+WKAl+QtvXBoPaO0biiAvsIPFMVXl0m8X+ME WXkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724293241; x=1724898041; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=r4r793gdniuXMTZwslsM1fzraPvXZR3T91ooXbJziic=; b=I2/KIJFZzBFlFQj0s98dO8Iaqt9f+vzV0x2DnVOYiJrnwBfIm4m8dHh+GJgoMGcxte d3k2T49C+nt2pT28agEpxZp92Q82bKY7QLeFryo0mnZs8ZTfieMU8E3Qef4CaWny+XuZ leyofN/jIWbO3rT55UxjI9gzM6k/uH2XBWJQgGiA8TL8AuF/IPj8Ou3MckvVVeZF7gRp kWQnhWST26wbBkRk2bbfQMh4E5mnW2LnqB/klc+zVgVp/y6kyL3MXbp97LuefUcTB42L 716xV6Nf/uA2yKcy2B4iXAmz31CB/dxkS1cZ+5W9hOiawGyAx6D5bPUwRacgthc9OAY/ iEkw==
X-Forwarded-Encrypted: i=1; AJvYcCVAhUxZjpmf6Jeq7onV0khPr3IIRSlBWEs3Lcn/cPF2hZVJVwzWEtJPfGxLI6FeDzUpNV88@ietf.org
X-Gm-Message-State: AOJu0YxOyUy/sO3zcFcXB9LNrf5Wdmd9Wckky74pPcySMA7VQO/SLLUq wr1WO4vDxAZyRCipW40+hFvDKQxV5hHXWXaMsFQRucbjbtsFPcJMG2pYicSmh03jOPw6Zw38SMR wdrVzpObMfCAzvpZ0ZAa/+TsfB3Qqg51nurw26gufYwLk+xYF
X-Google-Smtp-Source: AGHT+IGM2dHzEFIdwgielsMsviBvqAFa9ItK21tePo17y8TC4043JrrP/Vw54PqJpCqem/AB8OgyghHj2BrDxM96CVo=
X-Received: by 2002:a05:6902:1188:b0:e11:5ea0:f013 with SMTP id 3f1490d57ef6-e166548dc07mr5430404276.28.1724293241144; Wed, 21 Aug 2024 19:20:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com> <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com>
In-Reply-To: <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 21 Aug 2024 19:20:04 -0700
Message-ID: <CABcZeBN4jxHB6YOUc5ANTZjc0jxd5aSZ-G_A+qe9-ze0YT3+UA@mail.gmail.com>
To: Chris Barber <cbarbernash@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000020a26a06203c4e0c"
Message-ID-Hash: 2QRQ46K3RNLF7JZAR4ZUXSR7EQRYRM7S
X-Message-ID-Hash: 2QRQ46K3RNLF7JZAR4ZUXSR7EQRYRM7S
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg-chairs@ietf.org, cfrg@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OG_mxzw7K26wWuOsA4nnFxd3PNw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
I don't actually think the question of how much an algorithm is used in the wild is that relevant to the question of adoption. The more relevant question is whether there are IETF groups who want to use a given algorithm, because that is where CFRG should focus its limited resources. -Ekr On Wed, Aug 21, 2024 at 9:51 AM Chris Barber <cbarbernash@gmail.com> wrote: > Dear Chris, > > You are comparing specific implementations on a particular CPU, not the > algorithms themselves. The "sha3" library you are using is not optimized > and may not accurately reflect the performance of TurboSHAKE compared to, > for example, XKCP. In software, the performance of BLAKE3 and > TurboSHAKE/KT12 is theoretically very close but highly dependent on the > implementation in practice. > > Since this discussion is about adoption, I believe it would be more > relevant to compare the algorithms themselves. What properties does BLAKE3 > have that TurboSHAKE doesn't? "it's already used a lot in the wild" can be > sufficient to justify a specification. > > On Thu, Aug 15, 2024 at 11:07 PM Christopher Patton <cpatton= > 40cloudflare.com@dmarc.ietf.org> wrote: > >> Hi all, >> >> Before adopting BLAKE3, I think it would be useful to see how much of a >> difference it would make in our applications. I would suggest looking >> through RFCs published by CFRG and assess how performance would change if >> they could have used BLAKE3. Off the top of my head: >> - RFC 9180 - HPKE (replace HKDF?) >> - draft-irtf-cfrg-opaque - OPAQUE >> - RFC 9380 - hashing to elliptic curves >> >> I'll add my own data point: draft-irtf-cfrg-vdaf. This draft specifies an >> incremental distributed point function (IDPF), a type of function secret >> sharing used in some MPC protocols. Most of the computation is spent on XOF >> evaluation. For performance reasons, we try to use AES wherever we can in >> order to get hardware support. We end up with a mix of TurboSHAKE128 and >> AES, which is not ideal. It would be much nicer if we could afford to use a >> dedicated XOF, but TurboSHAKE128 is not fast enough in software. I threw >> together some benchmarks for B3: >> >> https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 >> >> The results were interesting. Compared to Turbo, B3 is 30% faster, as >> expected. Compared to the baseline (mix of Turbo and AES), B3 is 2-3x >> slower for the client operation, as expected; but the server was slightly >> faster, which frankly is a bit of a mystery. We'll need to dig into the >> code more to be certain, as there may be some obvious inefficiencies on the >> client side. But preliminarily, I would say B3 is probably too slow in >> software for this application. >> >> Chris P. >> >> >> >> >> _______________________________________________ >> CFRG mailing list -- cfrg@irtf.org >> To unsubscribe send an email to cfrg-leave@irtf.org >> > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org >
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Fwd: Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Chris Barber
- [CFRG] Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Eric Rescorla
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Benson Muite
- [CFRG] Re: BLAKE3 I-D Eric Rescorla
- [CFRG] Re: BLAKE3 I-D Benson Muite
- [CFRG] Re: BLAKE3 I-D Phillip Hallam-Baker
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Benson Muite