Re: [Cfrg] Kravatte-SANSE

Gilles Van Assche <gilles.vanassche@st.com> Tue, 04 December 2018 10:18 UTC

Return-Path: <gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42CB6130E96 for <cfrg@ietfa.amsl.com>; Tue, 4 Dec 2018 02:18:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnOZ0_b_asOi for <cfrg@ietfa.amsl.com>; Tue, 4 Dec 2018 02:17:58 -0800 (PST)
Received: from mx07-00178001.pphosted.com (mx08-00178001.pphosted.com [91.207.212.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 514B712785F for <cfrg@irtf.org>; Tue, 4 Dec 2018 02:17:57 -0800 (PST)
Received: from pps.filterd (m0046660.ppops.net [127.0.0.1]) by mx08-00178001.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wB4AB983028122; Tue, 4 Dec 2018 11:17:56 +0100
Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by mx08-00178001.pphosted.com with ESMTP id 2p53mawwsq-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 04 Dec 2018 11:17:55 +0100
Received: from zeta.dmz-eu.st.com (zeta.dmz-eu.st.com [164.129.230.9]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id DF1F53F; Tue, 4 Dec 2018 10:17:53 +0000 (GMT)
Received: from Webmail-eu.st.com (sfhdag6node2.st.com [10.75.127.17]) by zeta.dmz-eu.st.com (STMicroelectronics) with ESMTP id A2AC82981; Tue, 4 Dec 2018 10:17:53 +0000 (GMT)
Received: from [10.137.2.67] (10.75.127.48) by SFHDAG6NODE2.st.com (10.75.127.17) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 4 Dec 2018 11:17:53 +0100
To: Nick Sullivan <nick@cloudflare.com>
CC: <cfrg@irtf.org>
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com> <415bf880-f1ea-d036-c046-b29f19abed5e@st.com> <CAFDDyk-HD0oCH_1hk9KaBE9U6bk=FvE7XTHMbYbJXQpk1OhJXg@mail.gmail.com>
From: Gilles Van Assche <gilles.vanassche@st.com>
Openpgp: preference=signencrypt
Autocrypt: addr=gilles.vanassche@st.com; keydata= xsDiBD8SkBwRBADFdM4ygHSMHFx6T5i2h1kJYurvDCbak3XS/+n6xLU6MXePU3PD6Onpuc9g 2lEFnVko+SrjK0+2VJOdwd5tDel1EkAVEwbB8mDNDaxyalhiLw7CQEgZVpFGgMOaFiUPUhYZ KwwkzKf9IDb5uG+DmUTSNBBBNohnhSDo9ZHxZejNPQCg/7Wg+vfKwyrniTAVOwmyzh86FgcD /RZrWc9oqkbwhJGiRtGZyZuARtDvWxwFs35UfbySbiBRrhHNezR+0XP2iI2bOSCNr2k2pP0r WA7UgQ1x/RQ+D9Abgd/P2fFSgaodKQ3MjPoKo8FS0yAMFt7crOaRQm/IuHauUXWfw4VyeXcG gKm1sMV9ApK0Xh0NLERJ9F5FtQRaA/42+3Np6IRPEqRAlyg1uAJzBa7QAXd1QTWxkzEImHvr w1Xdvo6OYNnOPe8XVoMjdY3BaZ/arKmeyScsEKczeWqNXuIPhCYo24sRw0Ug2ztnUZzyhkHQ I4BAo7uP0KC84SzTBR4ZEHZ4NJe8szxCE29DbgJ7w82WEN8fq1pytxZ2Ms0rR2lsbGVzIFZh biBBc3NjaGUgPGdpbGxlcy52YW5hc3NjaGVAc3QuY29tPsK3BBARAgB3BQJYpYPyFwoAAYAl 4V1V5bnd3l+yv2GEFv/VwMI2IBQAAAAAABYAAWtleS11c2FnZS1tYXNrQHBncC5jb22NCAsJ CAcDAgEKAhkBFhhsZGFwOi8vcGdwLXNtZC5zdC5jb20FGwMAAAADFgIBBR4BAAAABBUICQoA CgkQc/9XCxoSKFjLDwCfQM7xiXDWVlNoNoyBQMi/kEYG6oQAnifl72lD+g5rmSxgjML5t9Pi w66rzsFNBD8SkBwQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz 0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPF RzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgN RR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgR jXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7 AAICCACzlrAg+Re240hxYkSqg8XOPMsVA7LUu+ukInygJM20pTY0y9mVl4JxNucTnsa98Y5k umgx5f2kvoWIWyo7iTFVebFJd/DUW7TGtnwt6fM+yvGReh3HfrIvjnogkSD09stPCsqMrASn He7wFwrKlBKNC1ePdKtk6BUyrjjbNFgLXak3E9A4ISXV31c43iRz/y2GNg8GljbnKwyyBgsx +oHIqiyz3S0lsFqHhkocYQrobm1HIAGCZsKSIIGQRVtNijq+4gxG/dnD2RlLHCoQEk6vdsmg EOvD3Ylqk85j2VV9gdnVWDbCZeo+RmX4ZzOc5JA0e/rCh2H8VS+WDdmNo+fowkwEGBECAAwF Aj8SkBwFGwwAAAAACgkQc/9XCxoSKFjvmgCfYxaz3jP35HUmtYu5DSH+fktMwuQAoMitXa0b 5wlXzvzHaXtqpPhetYjM
Message-ID: <c6f976d0-ae9d-6ec9-96ae-2a188c415cfa@st.com>
Date: Tue, 4 Dec 2018 11:19:13 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <CAFDDyk-HD0oCH_1hk9KaBE9U6bk=FvE7XTHMbYbJXQpk1OhJXg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: [10.75.127.48]
X-ClientProxiedBy: SFHDAG8NODE3.st.com (10.75.127.24) To SFHDAG6NODE2.st.com (10.75.127.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-04_06:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Uz_LSkl9fnAydBCRbKMFRseLhUE>
Subject: Re: [Cfrg] Kravatte-SANSE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 10:18:00 -0000

Hi Nick,

> I'm interested in this construction but I'd like to know more. What
> sort of applications do you think this function would have within the
> IETF? Would it be useful as a general replacement for PRFs in, for
> example, TLS?

Kravatte is indeed a pseudo-random function (PRF), and could be plugged
in as one, using Kravatte directly as a MAC function or to generate key
stream. Note that it has additional extension properties, i.e., it
supports sequences of strings as input and computing F(Y o X) costs only
the processing of Y if F(X) was previously computed. With the modes we
propose (-SANE, -SANSE and -WBCAE), it becomes an authenticated
encryption scheme with a range of robustness properties.

Both Kravatte-SANE and -SANSE support sessions, as previously described.
Although not a specialist in TLS, I nevertheless think that this fits
naturally in protocols that protect a stream of data like TCP. If the
protocol starts with a shared session key (as produced by, e.g., a
Diffie-Hellman variant), then the session maps to the complete stream of
data in a very simple way, with intermediate MACs, and without the need
to manage nonces. In the case of out-of-order packets like UDP, each
packet would be protected independently, and the concept of session is
less useful, though.

Kravatte-SANE relies on nonces, unless one needs only a single session
per key as in the example above. Unlike Kravatte-SANE, Kravatte-SANSE
creates a synthetic nonce in a SIV fashion for additional robustness.
Finally, Kravatte-WBCAE is a wide block cipher (WBC) that can do
authenticated encryption with minimal ciphertext expansion. (It is
functionally similar to CAESAR candidate AEZ but constructed in a very
different way.)

> Can it leverage hardware-specific instructions?

Because of the highly parallel Farfalle construction, Kravatte can take
advantage of general-purpose vector instructions like NEON, SSE or
AVX{2, 512}.

It can also exploit the SHA-3 instructions in ARMv8.2. These
instructions actually accelerate the evaluation of two Keccak-p
permutations in parallel, which Kravatte can take advantage of, thanks
to the parallelism.

Kind regards,
Gilles, for the Kravatte designers