Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Sun, 23 February 2020 11:13 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85FA53A0CE5 for <cfrg@ietfa.amsl.com>; Sun, 23 Feb 2020 03:13:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5FZ2yKaj6Cp2 for <cfrg@ietfa.amsl.com>; Sun, 23 Feb 2020 03:13:16 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C84D43A0CB5 for <cfrg@irtf.org>; Sun, 23 Feb 2020 03:13:15 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id w1so6864503ljh.5 for <cfrg@irtf.org>; Sun, 23 Feb 2020 03:13:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iBwlGblqTT5K2RoduQhIZe0hmmvE4Vr20YKWA55ycdE=; b=EfiJOJztQPvt+D4fuY1KQ+KDpHG6zzkV7m4fpOcenMwUxLvBtRrlYT5oGp+JC5j/pK 4oSh3nr6v8cOqfO/0slDIA2P9olFI1iuUmdp3Z22SHH2EtFya5zbPfIEftEihtXNs1U2 wVpV6N2IfHVEtPCAMEjOd63AHe8GtCf52WhgwTTWFme/fHypEAdhgbU4/7pNb5afGDje S133IGMBI3s6YtvBwcA9k1Kop6vrZvgiutTY+hoFPfgKPVqj49eA5TLZpCui1AENUoKw MRv9oe8jvwxt9UzQ/rwTtsxKNsUYbTZXg0Jxj77bxM6JmSrxpdwlTSbJ3J4KF6/axrD9 7YQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iBwlGblqTT5K2RoduQhIZe0hmmvE4Vr20YKWA55ycdE=; b=VSrCPIb9hA08aeBAt5cSRyRvdiM7MBrq1c3ehipNs8XEZO0t1zFxf+T5J705GVaZhI 8gST0gEFbaEIFgozVWK3vpbMXlv50BUJs8Z6FDWMr1urJ6ML9LflRKkM6UdukhRPTwPA 3h3s+uUuTxuDVcXVYecroGLVF/1PE41WAZpD/5rj3drZ54QoH6uQY+IkjdEqBtBY7umz zURt4sU0fk+miC8Bu6wr/RVSjSGk5yj9Ki5Ibz/G5lS7lKcpQ1Ck+KbS5RAMV+JsK47V N5x89eUntqghbg1cvwHOp83P/Yjab1j3sj/tKFxPfYohBPurBH9j1dRMqkA31urzALeS swOQ==
X-Gm-Message-State: APjAAAVpcla/IZl3ktuQcDbg9K+oHQRMQiUYvaRPJNfw7RIjdiQ9gnD0 c2khaSw/mV5IWtAw1orKuKJvly8GFqBJi1PzCFI=
X-Google-Smtp-Source: APXvYqx3fxS88oTFsfW7tOPSssyLhwTDKbQxlDViL4qPLF0fWbwSLDR/T/s4peqby6YkozRu0bd5OwRC7yMH7qJpzk0=
X-Received: by 2002:a2e:9e55:: with SMTP id g21mr28060070ljk.245.1582456393889; Sun, 23 Feb 2020 03:13:13 -0800 (PST)
MIME-Version: 1.0
References: <DF952AED-7578-47B8-B42F-F6A18A927C31@isode.com> <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie> <d3e393fd-16b7-9b74-56ce-97e2f8032709@cs.ru.nl> <ab214d52-3405-4aeb-89b4-006a743fbad3@cs.tcd.ie> <993cfbc3-9c36-028b-91f4-166f60f3e0b1@cs.ru.nl> <4f33c443-e5f3-b566-55e0-8741ddd17c3b@cs.tcd.ie>
In-Reply-To: <4f33c443-e5f3-b566-55e0-8741ddd17c3b@cs.tcd.ie>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Sun, 23 Feb 2020 14:13:31 +0300
Message-ID: <CAMr0u6=meOawMp9yCZAH6GAd7MOED4RP1O6qg=1NC0PerrVn6w@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Benoît Viguier <b.viguier@cs.ru.nl>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000003afc85059f3c578d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/SBrFcuRBs820hFb5sRTZBmxQahE>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2020 11:13:21 -0000
Dear CFRG, With my chair's hat off, I support moving forward with the document after taking into account the considerations provided by Jean-Philippe Aumasson in his review on behalf of the Crypto Review Panel. Regards, Stanislav On Thu, 20 Feb 2020 at 16:27, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 20/02/2020 11:37, Benoît Viguier wrote: > > Hi Stephen, > > > > To answer your question: > > > > Yep, I had a quick look and didn't find what I thought > > I was remembering;-) It may be that what I was thinking > > about was HKDF (RFC 5869), so let me ask it that way: > > is there a clear benefit in using k12 instead of using > > HKDF to get the output length wanted? If there is, and > > it's possible to state that in a short paragraph, that > > might be a useful addition. (While HKDF doesn't have > > arbitrary output length, it can produce long enough > > outputs for many uses I guess.) > > > > ------------------------------------------------------------------------- > > > > K12 has the merit of being a simpler construction and can be used in > > place of HKDF. > > > > In the scope of IoT or embedded devices, another advantage of K12 when > > its input contains a key is that it is easier to protect against DPA > > than SHA-1 or SHA-2. > > Fair enough. Doesn't seem like a compelling addition to > the document in the end, but happy to leave it to you > and others to figure if adding that is useful or not. > > Cheers, > S. > > PS: Just to be clear, the discussion has moved me from > an "unsure" state to where I think this is ok to publish > in an RFC. > > > > > > Kind Regards > > > > On 2/18/20 4:18 PM, Stephen Farrell wrote: > >> Hiya, > >> > >> Coupla follow ups below... > >> > >> On 18/02/2020 14:45, Benoît Viguier wrote: > >>> Dear Stephen, > >>> > >>> Thank you for your comments on our draft! > >>> > >>> Please find below some answers and comments. > >>> > >>> On 2/16/20 3:53 PM, Stephen Farrell wrote: > >>>> Hiya, > >>>> > >>>> On 16/02/2020 11:16, Alexey Melnikov wrote: > >>>>> Dear CFRG participants, > >>>>> > >>>>> This message is starting 2 weeks RGLC on > >>>>> draft-irtf-cfrg-kangarootwelve-01 ("KangarooTwelve"), that will end > >>>>> on March 1st 2020. If you've read the document and think that it is > >>>>> ready (or not ready) for publication as an RFC, please send a message > >>>>> in reply to this email or directly to CFRG chairs > >>>>> (cfrg-chairs@ietf.org). If you have detailed comments, these would > >>>>> also be very helpful at this point. > >>>> I had my 1st read of this and think it needs a bit of > >>>> work, but am overall unclear if it ought be published > >>>> now. (I also looked back at the list archive messages > >>>> referring to k12.) > >>>> > >>>> I don't think CFRG ought be publishing very novel > >>>> algorithm RFCs and am unclear how much study k12 has > >>>> gotten outside the author team. The main reference > >>>> given [1] has pointers to lots of work with titles that > >>>> mention reduced-round keccak but it's unclear (to me, > >>>> not having read 'em;-) how relevant those are to k12. > >>> Actually, all cryptanalysis of Keccak/SHA-3 is relevant to K12. > >>> Cryptanalysis resources are scarce, we chose as an explicit design goal > >>> to make K12 rely on cryptanalysis of Keccak/SHA-3. > >>> > >>> To be more precise, K12 is made of two layers: > >>> > >>> 1) The inner function F. This layer relies on cryptanalysis. K12's F > >>> function is exactly Keccak[r=1344, c=256] (as in SHAKE128) reduced to > 12 > >>> rounds (no tweaks!). Hence, any reduced-round cryptanalysis on Keccak > is > >>> also a reduced round cryptanalysis of K12's F (provided the number of > >>> rounds attacked is not higher than 12 of course). > >>> > >>> 2) The tree hashing over F. This layer is a mode on top of F that does > >>> not introduce any vulnerability thanks to the use of Sakura coding > >>> proven secure in the paper [Bertoni et al., ACNS 2014]. > >>> > >>> This reasoning is detailed and formalized in the paper [Bertoni et al., > >>> ACNS 2018], which is peer-reviewed. > >> Thanks. It sounds like referring to that section > >> of that paper would help so. (Your explanation there > >> helped me fwiw.) > >> > >>>> [1] is also used as [KECCAK_CRYPTANALYSIS] in the draft > >>>> and is where the authors are pointing us to find > >>>> security analysis of k12. I don't think an author- > >>>> maintained web page like that is really good enough > >>>> as the key reference for an RFC like this. > >>> Good point indeed! > >>> > >>> One option would be that we put all the references in the RFC. We are > >>> not sure this is the right place for it, as we see an RFC more as > >>> implementation guide rather than an analysis paper. For example: > >>> https://tools.ietf.org/html/rfc7748 does not mention anything with > >>> respect to the security of X25519 which is detailed in section 3 of > >>> https://www.iacr.org/cryptodb/archive/2006/PKC/3351/3351.pdf. > >>> Nevertheless, we are open to this option. > >>> > >>> Another option would be to refer to [K12, Section 5]. In that section > >>> attacks with the highest number of rounds are discussed and > >>> corresponding paper are referred to. > >> Yep, that sounds good to me. > >> > >>> However with the possible > >>> appearance of new cryptanalysis results, this section would become > outdated. > >> Just to be clear - including the URL as an additional > >> reference as well seems like a good idea. It's only > >> depending on that as the main source that seems a bit > >> iffy. > >> > >>>> I totally get why the authors would find that > >>>> easier/better, but that won't be true for a reader in > >>>> 20 years time, so better to put in the precise > >>>> references now. That should also clarify the extent to > >>>> which those are about k12 (as defined here) and not > >>>> about something else. > >>> We agree with this, however Keccak cryptanalysis directly applies to > K12. > >>>> I think the references really need fixing before this > >>>> ought be published. I'm not sure where the right line > >>>> ought be drawn in terms of maturity of an algorithm > >>>> before CFRG blesses it with an RFC. <4 years does seem > >>>> short, even if this is strongly based on keccak. (Hence > >>>> me being unsure overall.) > >>> For us the maturity amounts to more than 4 years. Being SHA-3, Keccak > is > >>> a high-profile cryptanalysis target. As we did not tweak the round > >>> function, K12 relies on sustained cryptanalysis since 2008. > >> Ack. If nobody's gotten near breaking 12 rounds and > >> since you didn't tweak it, that does sound convincing > >> to me. Thanks. > >> > >>>> Separately, the draft could benefit from some guidance > >>>> as to when this is thought to be useful - presumably > >>>> that's when one wants a hash output that's >512 bits. > >>>> IIRC, there are other RFCs (forget numbers, sorry), > >>>> that describe how to get such outputs using standard > >>>> hash functions. If there are such RFCs, it'd be good > >>>> to reference those. Either way saying why and when this > >>>> is preferable to use of standard hash functions would > >>>> be good. > >>> The standard hash functions (SHA-1 and SHA-2) are subject to length > >>> extension attacks. > >> Yep, I had a quick look and didn't find what I thought > >> I was remembering;-) It may be that what I was thinking > >> about was HKDF (RFC 5869), so let me ask it that way: > >> is there a clear benefit in using k12 instead of using > >> HKDF to get the output length wanted? If there is, and > >> it's possible to state that in a short paragraph, that > >> might be a useful addition. (While HKDF doesn't have > >> arbitrary output length, it can produce long enough > >> outputs for many uses I guess.) > >> > >> Cheers, > >> S. > >> > >> > >>> And in all cases, K12 will be faster than SHA-3. If > >>> that makes it clearer, we could add a short guidance as to when the > user > >>> can benefit the most from K12. We could simply reuse the arguments from > >>> these slides: https://benoit.viguier.nl/files/K12atMontreal.pdf > >>>> Other than the above, the draft seems clear (though > >>>> I didn't try implement) and many thanks for not > >>>> defining the usual pile of pointless variants/options:-) > >>> Thanks, yes, that was another design goal for K12. > >>> > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01 Alexey Melnikov
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Dan Brown
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Gilles Van Assche