Re: [CFRG] Extract-and-expand with KMAC
Gilles VAN ASSCHE <gilles.vanassche@st.com> Thu, 19 November 2020 11:05 UTC
Return-Path: <gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFB823A07AE for <cfrg@ietfa.amsl.com>; Thu, 19 Nov 2020 03:05:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=st.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QwyYe-gThTd for <cfrg@ietfa.amsl.com>; Thu, 19 Nov 2020 03:05:28 -0800 (PST)
Received: from mx07-00178001.pphosted.com (mx08-00178001.pphosted.com [91.207.212.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 951183A0640 for <cfrg@irtf.org>; Thu, 19 Nov 2020 03:05:28 -0800 (PST)
Received: from pps.filterd (m0046660.ppops.net [127.0.0.1]) by mx07-00178001.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0AJAv4lC019736; Thu, 19 Nov 2020 12:05:24 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=st.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=STMicroelectronics; bh=jT6eF+JvWswyAtVjNQyvO3bbxLOsfsc4Tz56JiXdUJg=; b=FGESZfe7ul4fnFXimPTbcXekFwrVOZopsPNp2v2EuVukp4NUUrjMEeQOu0Dx1gliPTX7 xxrmD5DVHOtdrnyrwANmqM1vEkKFY9e/EuiG+K0B7LRAE1SgxtcmAmBsQFt5JrJPfz5x 0rWoak4o0AuaRZkegvoicDiYCj6++eMi2ihcpnSyhsQKn2aKddQDHKtmXb8A2IqBUoK7 z/set6aCQ5KSe6KXP7/3G5xYKNSqLr4mQHxIvGSCYymMNhPdmbNqyGuvegKvpGISgvCl ViIQi5xDnR8EY2zhfU5rOD4ky2cndoFyY3EpJA+sNnY2L4AsZX8Qbw6Bha1t86N5ETOC 4Q==
Received: from eur05-db8-obe.outbound.protection.outlook.com (mail-db8eur05lp2106.outbound.protection.outlook.com [104.47.17.106]) by mx07-00178001.pphosted.com with ESMTP id 34t58cysg1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 19 Nov 2020 12:05:24 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UK8Kip8UN/PanukZY0pENjIuk4hlwAr2GbJ+mdgb9hUaF2H7mU4EqI9rvMOVI/0kAPbcdw5KCuabRVb5ZcQ9Xl81T0B7k5IcqEnjChcY9ongL2PNTEpJ36lsSfQwKjrnTiPlMuCiWQvx6NXh92nQkAALFH3zrAjbshnPJQIdznZeB/MoLw7vkolMjt3VEFZNppfMZdGG6HUwvyHSdFz4WOOyV5sNMYinWdeGujXSdBIyl6HdiytuAVdmro0WyWqLZadEJrAsGe0vVHHGevM/u4Ypd5G7l4DvDBK+tLVU2qwfMkdgT6ZVTqlvxym9sSkxNcHn+/moUouHpnoMH+LmJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jT6eF+JvWswyAtVjNQyvO3bbxLOsfsc4Tz56JiXdUJg=; b=kpe+VgLCNeSG7SroDMaZbaG3rHbIL5hceZeGIEHxmSPOGUB+vxJUaQvZdkDabPu2ldU6s9XoQpQzaWF8sjbq0BAhpnCnEsudgxjuUawRFCeCRHHfrAPNN0XzJNRZACXUT9IUVytV0hLcoSyairHFBieLtABvLb1kK9zeqB88yovUT1nEAI3pXrz/Fv4CZKWBPmoBZQ9fCH6393+3y1sd2ZyA3acxh3Gp/4/n5yeByV9SAU7V2qCnSIYDPo+biJ0N7cb57baJ6NJxhKHUUo+igB3L9b2hFNUgNIU2PxNXtSNE+KBv62ao+tA5BYsmTbXxb1+wwQJZOmCGt0tlOPPcAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=st.com; dmarc=pass action=none header.from=st.com; dkim=pass header.d=st.com; arc=none
Received: from AM9PR10MB4354.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:266::24) by AM9PR10MB4482.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:270::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.22; Thu, 19 Nov 2020 11:05:23 +0000
Received: from AM9PR10MB4354.EURPRD10.PROD.OUTLOOK.COM ([fe80::6179:6016:73c4:ad62]) by AM9PR10MB4354.EURPRD10.PROD.OUTLOOK.COM ([fe80::6179:6016:73c4:ad62%7]) with mapi id 15.20.3589.021; Thu, 19 Nov 2020 11:05:23 +0000
From: Gilles VAN ASSCHE <gilles.vanassche@st.com>
To: "rsw@jfet.org" <rsw@jfet.org>, "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Extract-and-expand with KMAC
Thread-Index: AQHWu1XkK+V8z67lR0WSuO+k6tbdQ6nJZAOAgATM6IaAAAdBAIAADNAAgAD4rgA=
Date: Thu, 19 Nov 2020 11:05:23 +0000
Message-ID: <AM9PR10MB4354623B470E1A78B84E0BD2F2E00@AM9PR10MB4354.EURPRD10.PROD.OUTLOOK.COM>
References: <467DD0FC-FF7F-453F-98B2-ADC7F0F976B1@ericsson.com> <20201115163535.GA3384456@LK-Perkele-VII> <AM9PR10MB43541E50ABC210C17630FBFCF2E10@AM9PR10MB4354.EURPRD10.PROD.OUTLOOK.COM> <20201118175330.nt4nb4jqvzsjtmjw@muon> <SA0PR09MB68410F90BBD3A5D45FF5E858F3E10@SA0PR09MB6841.namprd09.prod.outlook.com> <20201118190550.hzpggpt5a367auik@muon>
In-Reply-To: <20201118190550.hzpggpt5a367auik@muon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: jfet.org; dkim=none (message not signed) header.d=none;jfet.org; dmarc=none action=none header.from=st.com;
x-originating-ip: [165.225.76.161]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 86fe055b-f906-43bc-c66b-08d88c7b0340
x-ms-traffictypediagnostic: AM9PR10MB4482:
x-microsoft-antispam-prvs: <AM9PR10MB44825A7A94C48ECA573B2459F2E00@AM9PR10MB4482.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: npSLMlIn/5PKMrbZuld4r0idCedYk1NagpYabX14k7h9AkT5XPjA14oZbqG8Qfl7lWA1nnGKp/b7tSzMUHQ9vPpa1KAtXHOzl2cU+BhxrvFupyxKaf6WKpFMYtMwUosbaOzWuN++6+ilaXlMlFfMVk3YGiGpfRsdGdXsDkLjZ2sKelFfYm3IwEnvSUnccJ6x1lxdVT41/zO6pF+LOKNnPvu0++/E8Gq64QarkRMA2qZTrBduI2Eil0sFtYSo28ZYDVEKCtab9m7txoaZRDjroWchTJaIMBT5yz50MS4kgfg1QpdQ8XrhK8mjFodNn15hn7tdcpL9FN0CrhcLzBsZzw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM9PR10MB4354.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(376002)(366004)(396003)(39860400002)(316002)(66556008)(66446008)(64756008)(71200400001)(7696005)(5660300002)(4326008)(55016002)(76116006)(66476007)(66946007)(86362001)(2906002)(83380400001)(52536014)(478600001)(8676002)(9686003)(26005)(110136005)(33656002)(55236004)(186003)(8936002)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: FR/Zp+sYuexYHnAriepFMLRsPor6lBU9/mzrOGB+j02pXMnM4fjmHIGOylqsOKjFBcNg5fAi9sNhmMxBMMQR0ULi6iB7aswhuUDkcA/iqsCHmdtZq4/iAgTZDdFoMDcf9muWcbJuhO8fxFDwjsEt5YI+WirgD+Ek6DTj5haIYD3b3f4BHAn5Cr1eSOzibPJxvO+ycA/+JHilJCEvCAS7iFw2obhiyn7uoziaRTDHCDkh+0b3mRhSLkgS0tEue5Bs7n+L6fM7vg5mPJY2D0nDuJ11VIAN1faBV/KAdi7y7AXn5KCFhlV/NM6U8pVRnGxedIb9G7icEyGmetJYOoKSrpM6EWLN35lsvpc+drKZdU1qLE11APmJ/+HhEKFgx6pRfUIkTWWrBUSD0WaQfuO1V1gHT3oT47tZ6iJvuYK5Ux4IDvnC7THEOmrMBmAXTuR8J9KpQsSxy5rPnGOKCBC4nnFm8dOviEeEzQY3kwCvuhWKGF9w6CzqYY/2ASaw2JhWzCL9wOa9UNN0zmvQ1PlffC5jYMAEYSl9zvyfmQTA5hTGK/JUUnsQ2SE5ynZImzq/wM79cevqC0YL8ymY7xfDq4AfJwQxvTmL4BVJSHMSuASdfR7vDrdH6TUvZjjOUKDEs7DSVcLuPL1F9rb+b7+mBaztac860gw1gBWbM4DswWf9EFuY2mh628iIFo46USBsebgm+zan3qiBEQgxI4dk6I2E2fzAU+8jcJWTuQMZn5BAvoLdniihWVZDpXHosXhbU8H4W4T4FHhcWM41NecIaur5fpRF9zkFHz/J35zxOAp5tsPfLSTXg0srt1Swv1le3wUptFVqDeh73Q0IV7Dt5K/xl6pK4759QSTQSE2Ef5xckaHT2mB5WkX0efEgEDevjaGXzw7dfJrv9qEw6Yfpyw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ST.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM9PR10MB4354.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 86fe055b-f906-43bc-c66b-08d88c7b0340
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2020 11:05:23.5850 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 75e027c9-20d5-47d5-b82f-77d7cd041e8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VngOYylBh+cmy6+V8e2xZH3DTScH6TKLirO51w4QFQCk+tRgP0w5bDV+YTqNL120naOtC0k1F83kRkWxgRfU9Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4482
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-11-19_08:2020-11-19, 2020-11-19 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 clxscore=1011 mlxscore=0 adultscore=0 bulkscore=0 priorityscore=1501 malwarescore=0 impostorscore=0 suspectscore=0 mlxlogscore=801 lowpriorityscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2011190082
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3UbPN4UW56a5Y--9GzOoc7RjetY>
Subject: Re: [CFRG] Extract-and-expand with KMAC
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 11:05:31 -0000
Hi, > "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov> wrote: >> I am not aware of a protocol where the output from an extract step: >> PRK is saved and the expansion step gets executed later to generate >> keys. > Totally agreed! in most cases, we don't worry much about PRK. Note, however, that the message I was responding to explicitly *did* worry about it: > Gilles VAN ASSCHE <gilles.vanassche@st.com> wrote: >> This solution is not incompatible with the case where an intermediate >> value PRK is required: > If indeed the intermediate value is required, as discussed here, then my concerns about non--black-box use of the primitives are relevant. > Otherwise, as you say, no worries at all---and we have good reason to believe that constructions like SHA-3 are great for such cases. Indeed, my primary message was that the intermediate value PRK is probably (=without knowledge of the application) not needed, and therefore evaluating SHAKE128(salt ; IKM ; info) works as is. So I guess we agree on this point. I understand your concerns about the non-black-box use of SHAKE. However, it seems to me they would be addressed with an implementation that supports Init-Update-Final-like (IUF) function calls. The PRK would then materialize as the state (e.g., the struct passed to these functions) after Update(salt ; IKM). Note that I am not advocating this mechanism, but just using it to argue that - the PRK exists so philosophically SHAKE is also somehow doing extract+expand and - it is not unreasonable to expose the PRK with an IUF implementation, should the need of a delayed expansion occurs. Kind regards, Gilles
- [CFRG] Extract-and-expand with KMAC John Mattsson
- Re: [CFRG] Extract-and-expand with KMAC John Mattsson
- Re: [CFRG] Extract-and-expand with KMAC Ilari Liusvaara
- Re: [CFRG] Extract-and-expand with KMAC Jonathan Hammell
- Re: [CFRG] Extract-and-expand with KMAC Ruggero SUSELLA
- Re: [CFRG] Extract-and-expand with KMAC Gilles VAN ASSCHE
- Re: [CFRG] Extract-and-expand with KMAC rsw
- Re: [CFRG] Extract-and-expand with KMAC Dang, Quynh H. (Fed)
- Re: [CFRG] Extract-and-expand with KMAC rsw@jfet.org
- Re: [CFRG] Extract-and-expand with KMAC Gilles VAN ASSCHE