Re: [Cfrg] Kravatte-SANSE

Gilles Van Assche <> Tue, 04 December 2018 10:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 42CB6130E96 for <>; Tue, 4 Dec 2018 02:18:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HnOZ0_b_asOi for <>; Tue, 4 Dec 2018 02:17:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 514B712785F for <>; Tue, 4 Dec 2018 02:17:57 -0800 (PST)
Received: from pps.filterd ( []) by ( with SMTP id wB4AB983028122; Tue, 4 Dec 2018 11:17:56 +0100
Received: from ( []) by with ESMTP id 2p53mawwsq-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 04 Dec 2018 11:17:55 +0100
Received: from ( []) by (STMicroelectronics) with ESMTP id DF1F53F; Tue, 4 Dec 2018 10:17:53 +0000 (GMT)
Received: from ( []) by (STMicroelectronics) with ESMTP id A2AC82981; Tue, 4 Dec 2018 10:17:53 +0000 (GMT)
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 4 Dec 2018 11:17:53 +0100
To: Nick Sullivan <>
CC: <>
References: <> <> <>
From: Gilles Van Assche <>
Openpgp: preference=signencrypt
Autocrypt:; keydata= xsDiBD8SkBwRBADFdM4ygHSMHFx6T5i2h1kJYurvDCbak3XS/+n6xLU6MXePU3PD6Onpuc9g 2lEFnVko+SrjK0+2VJOdwd5tDel1EkAVEwbB8mDNDaxyalhiLw7CQEgZVpFGgMOaFiUPUhYZ KwwkzKf9IDb5uG+DmUTSNBBBNohnhSDo9ZHxZejNPQCg/7Wg+vfKwyrniTAVOwmyzh86FgcD /RZrWc9oqkbwhJGiRtGZyZuARtDvWxwFs35UfbySbiBRrhHNezR+0XP2iI2bOSCNr2k2pP0r WA7UgQ1x/RQ+D9Abgd/P2fFSgaodKQ3MjPoKo8FS0yAMFt7crOaRQm/IuHauUXWfw4VyeXcG gKm1sMV9ApK0Xh0NLERJ9F5FtQRaA/42+3Np6IRPEqRAlyg1uAJzBa7QAXd1QTWxkzEImHvr w1Xdvo6OYNnOPe8XVoMjdY3BaZ/arKmeyScsEKczeWqNXuIPhCYo24sRw0Ug2ztnUZzyhkHQ I4BAo7uP0KC84SzTBR4ZEHZ4NJe8szxCE29DbgJ7w82WEN8fq1pytxZ2Ms0rR2lsbGVzIFZh biBBc3NjaGUgPGdpbGxlcy52YW5hc3NjaGVAc3QuY29tPsK3BBARAgB3BQJYpYPyFwoAAYAl 4V1V5bnd3l+yv2GEFv/VwMI2IBQAAAAAABYAAWtleS11c2FnZS1tYXNrQHBncC5jb22NCAsJ CAcDAgEKAhkBFhhsZGFwOi8vcGdwLXNtZC5zdC5jb20FGwMAAAADFgIBBR4BAAAABBUICQoA CgkQc/9XCxoSKFjLDwCfQM7xiXDWVlNoNoyBQMi/kEYG6oQAnifl72lD+g5rmSxgjML5t9Pi w66rzsFNBD8SkBwQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz 0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPF RzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgN RR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgR jXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7 AAICCACzlrAg+Re240hxYkSqg8XOPMsVA7LUu+ukInygJM20pTY0y9mVl4JxNucTnsa98Y5k umgx5f2kvoWIWyo7iTFVebFJd/DUW7TGtnwt6fM+yvGReh3HfrIvjnogkSD09stPCsqMrASn He7wFwrKlBKNC1ePdKtk6BUyrjjbNFgLXak3E9A4ISXV31c43iRz/y2GNg8GljbnKwyyBgsx +oHIqiyz3S0lsFqHhkocYQrobm1HIAGCZsKSIIGQRVtNijq+4gxG/dnD2RlLHCoQEk6vdsmg EOvD3Ylqk85j2VV9gdnVWDbCZeo+RmX4ZzOc5JA0e/rCh2H8VS+WDdmNo+fowkwEGBECAAwF Aj8SkBwFGwwAAAAACgkQc/9XCxoSKFjvmgCfYxaz3jP35HUmtYu5DSH+fktMwuQAoMitXa0b 5wlXzvzHaXtqpPhetYjM
Message-ID: <>
Date: Tue, 4 Dec 2018 11:19:13 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: []
X-ClientProxiedBy: ( To (
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-04_06:, , signatures=0
Archived-At: <>
Subject: Re: [Cfrg] Kravatte-SANSE
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Dec 2018 10:18:00 -0000

Hi Nick,

> I'm interested in this construction but I'd like to know more. What
> sort of applications do you think this function would have within the
> IETF? Would it be useful as a general replacement for PRFs in, for
> example, TLS?

Kravatte is indeed a pseudo-random function (PRF), and could be plugged
in as one, using Kravatte directly as a MAC function or to generate key
stream. Note that it has additional extension properties, i.e., it
supports sequences of strings as input and computing F(Y o X) costs only
the processing of Y if F(X) was previously computed. With the modes we
propose (-SANE, -SANSE and -WBCAE), it becomes an authenticated
encryption scheme with a range of robustness properties.

Both Kravatte-SANE and -SANSE support sessions, as previously described.
Although not a specialist in TLS, I nevertheless think that this fits
naturally in protocols that protect a stream of data like TCP. If the
protocol starts with a shared session key (as produced by, e.g., a
Diffie-Hellman variant), then the session maps to the complete stream of
data in a very simple way, with intermediate MACs, and without the need
to manage nonces. In the case of out-of-order packets like UDP, each
packet would be protected independently, and the concept of session is
less useful, though.

Kravatte-SANE relies on nonces, unless one needs only a single session
per key as in the example above. Unlike Kravatte-SANE, Kravatte-SANSE
creates a synthetic nonce in a SIV fashion for additional robustness.
Finally, Kravatte-WBCAE is a wide block cipher (WBC) that can do
authenticated encryption with minimal ciphertext expansion. (It is
functionally similar to CAESAR candidate AEZ but constructed in a very
different way.)

> Can it leverage hardware-specific instructions?

Because of the highly parallel Farfalle construction, Kravatte can take
advantage of general-purpose vector instructions like NEON, SSE or
AVX{2, 512}.

It can also exploit the SHA-3 instructions in ARMv8.2. These
instructions actually accelerate the evaluation of two Keccak-p
permutations in parallel, which Kravatte can take advantage of, thanks
to the parallelism.

Kind regards,
Gilles, for the Kravatte designers