[CFRG] Re: BLAKE3 I-D

Benson Muite <benson_muite@emailplus.org> Sat, 24 August 2024 06:55 UTC

Return-Path: <benson_muite@emailplus.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12BEFC15109E for <cfrg@ietfa.amsl.com>; Fri, 23 Aug 2024 23:55:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.162
X-Spam-Level:
X-Spam-Status: No, score=-2.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, NICE_REPLY_A=-0.355, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emailplus.org header.b="Gt3X0TpY"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="TVLLcQ0W"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4kr051JAo3ch for <cfrg@ietfa.amsl.com>; Fri, 23 Aug 2024 23:54:56 -0700 (PDT)
Received: from fhigh7-smtp.messagingengine.com (fhigh7-smtp.messagingengine.com [103.168.172.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25DF0C151092 for <cfrg@irtf.org>; Fri, 23 Aug 2024 23:54:55 -0700 (PDT)
Received: from phl-compute-02.internal (phl-compute-02.nyi.internal [10.202.2.42]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 3607E11521DE for <cfrg@irtf.org>; Sat, 24 Aug 2024 02:54:55 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-02.internal (MEProxy); Sat, 24 Aug 2024 02:54:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emailplus.org; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1724482495; x=1724568895; bh=lDNzE3Yz0lSBzkvtkIvbUF5n+QkzOlXZya/xC1PNW6w=; b= Gt3X0TpYO7igi6tWmg1pfK61JyHWkeK1PHe/A+ZveJePM77oL3ZLGfeigo16Hw4t 7Z21LAdcQ5BzqFoc0Nv6t/6wtfu7Yk8XXSqLQUWQrxOVJT0dVpqWgU2uKkxvQlHO ni/g2Nup2yHKj01Dm5UZwI2jO20oLiKwsC3PIdJi7TMdMajgdvTrn3Ea1zDKUNtM lO2mKshv/Wk/Mb0IPOhxDpDQ6a3h9jY88Fpip9/WM/CsSrN1N3qdwwvw0WVJ/FCN zOZqOpjt/Hjru35ANvT+V+3UyAnVa8UkFoO7ULEsvLonTBBARmnQlxmGOvdJpW4q qEnuQetXTdWRVUo+9q78ow==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1724482495; x= 1724568895; bh=lDNzE3Yz0lSBzkvtkIvbUF5n+QkzOlXZya/xC1PNW6w=; b=T VLLcQ0WGsVfkKqu8qGs4fgu4vBTZcvhAqmiTSFc2+EFwwokvfit+eseQZEPcmvh5 ppVOD4cItNUnaecCcGeJ/FeWAVSO0aRb/OCt1W1TGQo6zkmBdfAdIzFN/nBb32og nYwODnphHuzZzswGjjYrEps1opzy+IGy+5ynWGoI/piosa+/+pQATChGJX+F6aMC 8NT0gfS6+Ef01siPIna29KOYiC1O5DdHhXu7rQuxLdGhZFolDFiUGqnUE+tD3hTM DzIPqkSl40pN501mI8Ru41GaIdfdi77io0zwi4xAJJW7T3SGW5FXBprg61SN1+vq dFbQWCd09aqLQCw4dUueA==
X-ME-Sender: <xms:v4PJZp77pcGxs5PHA5v2u5iibyB4kS0zt-4vYMVArVFdADywDFpa1A> <xme:v4PJZm4yWtWfABG6oCdWPUg6DYVpM5QFuiRoEFckYcqg19RbUUswv-FWL0jekIspK n0BaS_qSVrQsqP4>
X-ME-Received: <xmr:v4PJZgelfrmwmvHdB2pp4S0Ojebv0PIXRva1wqCiIMSSghAcW_X-0-2IGjRMaNvSwNCh>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddruddvfedguddufecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepkfffgg gfvfhfhffujggtgfesthekredttdefjeenucfhrhhomhepuegvnhhsohhnucfouhhithgv uceosggvnhhsohhnpghmuhhithgvsegvmhgrihhlphhluhhsrdhorhhgqeenucggtffrrg htthgvrhhnpeelgeekteekhefhvdegkeetlefgfedtgefhtddtgfevgedugffhfeehhfeu vdejffenucffohhmrghinhepihgvthhfrdhorhhgpdhrfhgtqdgvughithhorhdrohhrgh dpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomhepsggvnhhsohhnpghmuhhithgvsegvmhgrihhlphhluhhsrdhorhhgpd hnsggprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegtfhhr ghesihhrthhfrdhorhhg
X-ME-Proxy: <xmx:v4PJZiL6hzwSc8ehm0lptIGc5yGB6oLYUyE9og1bU0yvJ_dw-gzreA> <xmx:v4PJZtLQO0BJRHf_3YbtYXhD4OV-WC47VxqGCILZ6IyGBBcjU1jJVA> <xmx:v4PJZrwxkzUd0Qdxuvz_jOcOvHkdxTzwi3wZytdKmXV1EeRnBV6QXA> <xmx:v4PJZpKmSGJEPNYlnpoOuLj4gamZxF9cJnW0K6zBoj3qC1ckFO_v2g> <xmx:v4PJZkVmjcfkRm8cMlFloGeiaqVfEKxOSbzUXhS51O0OAqfbxZyoWOWv>
Feedback-ID: ic1e8415a:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <cfrg@irtf.org>; Sat, 24 Aug 2024 02:54:53 -0400 (EDT)
Message-ID: <ec9e57f6-9daa-2edf-71bd-0b548c403182@emailplus.org>
Date: Sat, 24 Aug 2024 09:54:48 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-US
To: cfrg@irtf.org
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com> <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com> <CABcZeBN4jxHB6YOUc5ANTZjc0jxd5aSZ-G_A+qe9-ze0YT3+UA@mail.gmail.com>
From: Benson Muite <benson_muite@emailplus.org>
In-Reply-To: <CABcZeBN4jxHB6YOUc5ANTZjc0jxd5aSZ-G_A+qe9-ze0YT3+UA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: OD67MP2UWADLPGTXG3IQHNQTNNL2RMDM
X-Message-ID-Hash: OD67MP2UWADLPGTXG3IQHNQTNNL2RMDM
X-MailFrom: benson_muite@emailplus.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RDHi0nWnES_4AHZfB0blqtSDF1E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On 22/08/2024 05.20, Eric Rescorla wrote:
> I don't actually think the question of how much an algorithm is used in
> the wild is that relevant to the question of adoption. The more relevant
> question is whether there are IETF groups who want to use a given
> algorithm, because that is where CFRG should focus its limited resources.
> 

RFC 7693 [1] documents Blake 2.  Blake 3 is an improved version of this,
so is worth reviewing. Blake 2 was done through the independent
submission stream [2], rather than through a research or working group.

1) https://datatracker.ietf.org/doc/html/rfc7693
2) https://www.rfc-editor.org/about/independent/

> -Ekr
> 
> 
> On Wed, Aug 21, 2024 at 9:51 AM Chris Barber <cbarbernash@gmail.com
> <mailto:cbarbernash@gmail.com>> wrote:
> 
>     Dear Chris,
> 
>     You are comparing specific implementations on a particular CPU, not
>     the algorithms themselves. The "sha3" library you are using is not
>     optimized and may not accurately reflect the performance of
>     TurboSHAKE compared to, for example, XKCP. In software, the
>     performance of BLAKE3 and TurboSHAKE/KT12 is theoretically very
>     close but highly dependent on the implementation in practice.
> 
>     Since this discussion is about adoption, I believe it would be more
>     relevant to compare the algorithms themselves. What properties does
>     BLAKE3 have that TurboSHAKE doesn't? "it's already used a lot in the
>     wild" can be sufficient to justify a specification.
> 
> 
>     On Thu, Aug 15, 2024 at 11:07 PM Christopher Patton
>     <cpatton=40cloudflare.com@dmarc.ietf.org
>     <mailto:40cloudflare.com@dmarc.ietf.org>> wrote:
> 
>         Hi all,
> 
>         Before adopting BLAKE3, I think it would be useful to see how
>         much of a difference it would make in our applications. I would
>         suggest looking through RFCs published by CFRG and assess how
>         performance would change if they could have used BLAKE3. Off the
>         top of my head:
>         - RFC 9180 - HPKE (replace HKDF?)
>         - draft-irtf-cfrg-opaque - OPAQUE
>         - RFC 9380 - hashing to elliptic curves
> 
>         I'll add my own data point: draft-irtf-cfrg-vdaf. This draft
>         specifies an incremental distributed point function (IDPF), a
>         type of function secret sharing used in some MPC protocols. Most
>         of the computation is spent on XOF evaluation. For performance
>         reasons, we try to use AES wherever we can in order to get
>         hardware support. We end up with a mix of TurboSHAKE128 and AES,
>         which is not ideal. It would be much nicer if we could afford to
>         use a dedicated XOF, but TurboSHAKE128 is not fast enough in
>         software. I threw together some benchmarks for B3:
>         https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 <https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1>
> 
>         The results were interesting. Compared to Turbo, B3 is 30%
>         faster, as expected. Compared to the baseline (mix of Turbo and
>         AES), B3 is 2-3x slower for the client operation, as expected;
>         but the server was slightly faster, which frankly is a bit of a
>         mystery. We'll need to dig into the code more to be certain, as
>         there may be some obvious inefficiencies on the client side. But
>         preliminarily, I would say B3 is probably too slow in software
>         for this application.
> 
>         Chris P.
> 
> 
> 
> 
>         _______________________________________________
>         CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>         To unsubscribe send an email to cfrg-leave@irtf.org
>         <mailto:cfrg-leave@irtf.org>
> 
>     _______________________________________________
>     CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>     To unsubscribe send an email to cfrg-leave@irtf.org
>     <mailto:cfrg-leave@irtf.org>
> 
> 
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org