[CFRG] Comment on draft-irtf-cfrg-vdaf

Gilles VAN ASSCHE <gilles.vanassche@st.com> Tue, 20 August 2024 15:17 UTC

Return-Path: <prvs=896243fe57=gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A83EDC14F749; Tue, 20 Aug 2024 08:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=st.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6cOlEMDwLWy6; Tue, 20 Aug 2024 08:17:44 -0700 (PDT)
Received: from mx07-00178001.pphosted.com (mx07-00178001.pphosted.com [185.132.182.106]) by ietfa.amsl.com (Postfix) with ESMTP id 542BCC14F60E; Tue, 20 Aug 2024 08:17:43 -0700 (PDT)
Received: from pps.filterd (m0241204.ppops.net [127.0.0.1]) by mx07-00178001.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47KEa7Jb002187; Tue, 20 Aug 2024 17:17:41 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=st.com; h=cc :content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=STMicroelectronics; bh=OezCV+JAR5HwW uLdviFAr0ZZdkdT1CDVUa1QxkbxZyo=; b=zFwtk9Cy9lDlcXiTIKvBaCt2Sr0ga 4jlIaKd1+t5pYb4vSmY1rZw+FOHTRL+xZ0yoLXwEwQCJM5doG9lAwSIlYQTHVN5r es7921UM/GO4L0GJnRO9gMNqqfFTSo1H0b41J4WZkQpfsOavlxKpjIsSC0X7kv16 B+K03b4rD21jro/J0nwdSCq++j0iW97+k/lXa4YJxfaT+Hy14RdXkBYOTTVrGUB2 oC5D3/h6eH6PPx+LonAuSI6Nuji9bGTZ/E7z/Oyjj2ICk7XbEtwufUYYT1LQsmAj hDqGuFxz1uDaiXZ3htlI/Kldx6yqmt0xVQFVjXDTFXTVi6JPW+teOxoYQ==
Received: from eur05-vi1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2170.outbound.protection.outlook.com [104.47.17.170]) by mx07-00178001.pphosted.com (PPS) with ESMTPS id 4145e4myr6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Aug 2024 17:17:41 +0200 (MEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=y1l09I+XVxxY39S5bZa94wGZCoIwycIL98gGByuCDaRKE05FNDLSRyFRnzGDiji/eEFerMc5Qi4DP13KH00c3gd73zRSohNwOFKNHjcuf1jXdD9s/Bcjaf4Y7Vu2bkXqpAUGvXXaEmEE/vzMtYX+KGftRItI4hgfEMoL5kzMDv6xdyOwEoWrTMKw98UD7OaLpf7GS0E+/kw2GZ0MGds8NOwz4Cf7s9Ilhys7NCOGvxVfQw/XxOA24eiie+pqE7hiOYcWgzQxof/w/goW7woKOTXQDIL/PRjj9NAGddf/TZKZKUzHaVy2IirSy2FlElyxWxkWwO+fegch2B5XodILhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OezCV+JAR5HwWuLdviFAr0ZZdkdT1CDVUa1QxkbxZyo=; b=XXKSC1AFi3DgLgC/dhM+mjwn4Hq0xlx2RpP27J0AKwPW84Ao4MvxRFi6yhsJDxFgxSzc7+pCrKtH5qxqoxnmo8yKYXgVq0OrzmIm9wj1DzYSX9jE01ebOMtBKiJZ5dlgAxvuML/g3F7/rTT7M6CSeVXvTFs4hJ5/xzF3BAjv3js4EnxoXT9QExhWaZb8ZonI9naQUDiGcyZQCve0YcWXEUhgMUwu1FN3iRP/Y/EP5GkxANjFpvDanPDo1nc3s9OkF9w6ip1fU56Iz2uDPDRocrTdtnzd7lFQvPDuVsb58Q8IrWCOcoSyhKPsNlpk/EbnnbOvbgodY9JgYGk2Z5r/9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=st.com; dmarc=pass action=none header.from=st.com; dkim=pass header.d=st.com; arc=none
Received: from AM9PR10MB5005.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:41e::15) by AS1PR10MB5555.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:476::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.25; Tue, 20 Aug 2024 15:17:39 +0000
Received: from AM9PR10MB5005.EURPRD10.PROD.OUTLOOK.COM ([fe80::ec92:2a43:c8e5:cb10]) by AM9PR10MB5005.EURPRD10.PROD.OUTLOOK.COM ([fe80::ec92:2a43:c8e5:cb10%4]) with mapi id 15.20.7875.023; Tue, 20 Aug 2024 15:17:39 +0000
From: Gilles VAN ASSCHE <gilles.vanassche@st.com>
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>
Thread-Topic: Comment on draft-irtf-cfrg-vdaf
Thread-Index: AdrzE1WgUp0WMuHgSU+j50pxNulTVw==
Date: Tue, 20 Aug 2024 15:17:39 +0000
Message-ID: <AM9PR10MB50058DF8751EEC48B45E0839F28D2@AM9PR10MB5005.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_cf8c7287-838c-46dd-b281-b1140229e67a_ActionId=e06b30ee-0688-4077-acd6-a3eaa2955dff;MSIP_Label_cf8c7287-838c-46dd-b281-b1140229e67a_ContentBits=0;MSIP_Label_cf8c7287-838c-46dd-b281-b1140229e67a_Enabled=true;MSIP_Label_cf8c7287-838c-46dd-b281-b1140229e67a_Method=Privileged;MSIP_Label_cf8c7287-838c-46dd-b281-b1140229e67a_Name=cf8c7287-838c-46dd-b281-b1140229e67a;MSIP_Label_cf8c7287-838c-46dd-b281-b1140229e67a_SetDate=2024-08-20T15:12:20Z;MSIP_Label_cf8c7287-838c-46dd-b281-b1140229e67a_SiteId=75e027c9-20d5-47d5-b82f-77d7cd041e8f;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM9PR10MB5005:EE_|AS1PR10MB5555:EE_
x-ms-office365-filtering-correlation-id: 73e5e4c5-8e26-4758-5fe5-08dcc12b3adb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: j/FrkEtdunIxpOFcv+cR6I/3ft4DI1847AmjqM21bSCatw+z+P166C6yyC0hHKGwr5GnR/wmPNC7jDevVOE0XWvUSBkWTznn2WwOnD3+Jfur3Hp5p4beE4bvNoAd1t6ul+QCJbcL+yf8BBVLAYrqeuU0p72+GCL2V9FZQICJHX1r1L6t4i9x565nIRwbQoWC5MepSe0tCPJWymfJd0YTEL+jbdVlLweN5S0KW/qzfwIe93qKEyoDs/weg/yBanYhuduB02XKEv9mummF3lDr2Eg/rbGAH87s6hh/HLOFbrvZy/sFOWxnAGgULYSS3WM5JEiR26PezUL/J+rIDx260XzxgISvdtiih1i4oZFaiexveoB9Bc63eJXab8WY+gPc4iS/U3CLbEJU8zQ1FqaGdDnyVW2Mz7OlN61trhsO15WEKKvafsqTdVGXxHgP/JT+hO0GIR4o37fPlVuns6BSzaJpU3KH4DEgLA+e4OttjYeEW3W7/uo23mC103tfyjEKcB8mJyS77a7m+vJFBvxYOYiDeUbpGg4MnT6bEPpshviEYAFcCD9is/ECfst7stFR9MVVqB22KoN8YwTd0PHw1fvVpv1rcStuyjWopSnqZi+0bvdEXMxFKwSHt3t5vAlKNBwry65OFOQ7qAe5DqWlQ1bFYJa6hQ9VymBEp6a43SaSAwKJkMkcwvepr6navwb+gagiryOtULv6O2E46evr+hEqkf/epcmy2j24PbiEjHsoHyvsEIE5Ooglco1M3wtoP5pYJwsXK9G9c1f+GVI9iOzIqtD2xg16JqCuRuqyxJdm7nc2CZEukpwjNNFtEwzOzudZ9/c5UnDG6mU05gQzlptRKHfeXOcCJj9s532XRSHleoy9XNDXhQO5Didkjhk2N9CUH/vOeSE6JXfGw5gFUUWiiDvAiPSUQeeEWHT5Sy4UL2qKaa8POhu9TVE0pByHfE0o6pe680HNfse8DinJgxA/q/9DBSEgZMUjCUQd9JwLkNR3NIer4GxEHfGZcwmkduCKvGwI7ySdNcfW9s/jq9dEuoHM2AxenB0r7ydipMoc8UuO4H5e6TTCRN0R9HfHsTMUaBp+3/mzMkJIH4jtNVC0aZrQUMqUgY1MVLO6RYgL+75aFbjNlJHzCRnim52Pi2Bt8NWrd7HAzxsDBwOimtrcrH5Ma+MGaXZ7An6thq1M59zeV0Ls7CfZOCW5NNrt2uOTyTC2esBnNDM+YcXYp2zBZacq9CJUz8rEQ3L7DsR1YMi4KY4OsDifRtbyOnIKfEZVLworcSSXWnyCnqlhmBby4E1Uzzu7sDPT5VjiC5cwCNX22QkVVhsQhKe2znfQ0I6iaud9QgV5GZmsupdgiUbpAZf6ZZseTL9jt51/36ADD+CEsSGanRfJRNOHCqs2ISD/tjSK/Qf0Xs4EgZQbEw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9PR10MB5005.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2rcGiZg+GhRtvfdFWaVc5xfK1PTszBzz3JvxJv/Vl3iy1gfobjYr3oeZ1GL8vnLdJlNt11v6mlNlykE/SRGaWZdRvmIq7AW87Iz5lfkp4fn4UgDo+tnWMT/YS7eSfHsr5y8nfTykEDx2azAilxeUNcb60Y0ksXzosHGadF7GNq6w9tE4exO0hZTAZKjAD4kGfC5itJh3KszKDi3RdedbUvYzMGuieLcGzKrkbweMCa3iKbkSN4l0EiSIdP6r63vsMQvGEcRWLhBBiopN0UW6WsqR8v+b28KBS6rIevbJqtKBHDDIULyYzlV6ZIszk72DWKDbEIDKPh2hGC6peUbKN3TTT6GWQaCtE99alKfux0b/DhXG9F4AxlZ1a36p9V9YoxH9NYGBRBTcBM4bXJ/8IOB9YjzDES0aj7/JWXw+kXaSgPE2B3RIHL+Jw6VgPWWqZQiuJCFQuXHdC+lINgECNhto20xPELniy5vZj59NDJigqeqCd1/Fb/B45LTZFi2mrkzWCLH7db7UJB1DEAn9zdcTaB8kxr3ZrE5Y84cNoCIExZAAf/sQHnCA7O/WBqn9Lttquzmd6oSx8IaHiWIOqHp04rol2X9PefwM9ecjcBP+m9xOBj6NB0OjtRLaAPLK38ntAVB2K1Gqq3U1YCum3mcG/0pVOWHo9u8mbLQV1D/INmOGqmsOqXaw3ilHGtZvinFv5AFiiLWBYVlJOrsIEeK5GHntkiZJJJtVRMQHcHnOAlG51FJSBRfgZ2TQcX+WNmyP2CG202xUgMxL+COmzd9lG12D9hgBYSrzh7d40FS/mONEHChZ21PHf4bzmfmh5SL/foXYA8laFQhqYZS2eHPdEXaGMDvyf78DPAEPiU5Uh/7y3wQdvFL4aJJLicp0lWw3FQ9EnfA45uyoM7LQHVUVLyNUyOCFnZbUFWLoBOCo27kamN+2FoRH8N5b4k39LlTg9hk//KdNRLeD1X+5/ZzeNJHakQ+bFNLoPj/lkX5+aQa+NDTGpj9cIVQfEsGHOI6ogaeasSaEAiYpKwgSS4zvo1RN2W8pGZuduql1mj7CsNr3z0NGnUZdSjJ4Tedp0lnFGzNJjeD5OOE+ogYvPWltzxrvSJ/zsSNVzwS69LYrSRFTXBKrV5it2D1NvyIPkwHvTwj+RgCGS6N3Zi4dVKzYEwteLVtF0/t9nZUyYCj0vrE2GaQyPIvqbfDHMN1m+0R/y6rHnXUmhfP6XWgGRyMObZ15ul3MN88hjOJkdBZT6ylmb/6Yq7XOKGngv79P3gVQvVKTcci/TKi1UZNYsLtfZc/xEiGZc/z2a25J+kF2+DKT3CloovmB1gSRySMebw7hZLSpgbVJt1M5Jj5S790MVxaD/sN7D2hlLuVoXyP5G0xo0xoDO4k/KUiVP6264wPO7nJfmwXD1tRv9QMb/P0PXRpRqwwFtsINQqpDUbkOoq/eW4ggvJBZ6H0ZNzdVZFDo9HdzWnkAoFIKGCp+39Qeeg9u+4mCSMQAEVYY1dAM+Wrs1+ZprpJaTQDM+RUCd2qUStq4oTRHAqlbpZ6yHvUsCiipuDDzBZUA7KS/ee4ibRA4fNqS33Tc4xnlzUBm
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ST.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM9PR10MB5005.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 73e5e4c5-8e26-4758-5fe5-08dcc12b3adb
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2024 15:17:39.4903 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 75e027c9-20d5-47d5-b82f-77d7cd041e8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xGhEBIW349LEXMj09y/ex9rBOxppYMGJEA/lS4DMagchyDqOaffMWROwBdu8toPYsBwsKpbNQ1QV01q5ZJhYIQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR10MB5555
X-Proofpoint-GUID: l-csl0YeCAXIgBlYrCP96Qrbd0ZR0YbM
X-Proofpoint-ORIG-GUID: l-csl0YeCAXIgBlYrCP96Qrbd0ZR0YbM
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-20_11,2024-08-19_03,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 bulkscore=0 malwarescore=0 priorityscore=1501 phishscore=0 clxscore=1011 spamscore=1 impostorscore=0 suspectscore=0 adultscore=0 mlxlogscore=185 mlxscore=1 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2408200113
Message-ID-Hash: G3MSFMGOW5S3YF5DJPDL6IJGENIGN6AW
X-Message-ID-Hash: G3MSFMGOW5S3YF5DJPDL6IJGENIGN6AW
X-MailFrom: prvs=896243fe57=gilles.vanassche@st.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "cfrg@ietf.org" <cfrg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Comment on draft-irtf-cfrg-vdaf
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/aXFVLIG3wE7Pb9WhoZPx1b6fXaU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi Chris,

I just wanted to comment on something you wrote recently about draft-irtf-cfrg-vdaf and its use of TurboSHAKE:

> I'll add my own data point: draft-irtf-cfrg-vdaf. This draft specifies an incremental distributed point function (IDPF), a type of function secret sharing used in some MPC protocols. Most of the computation is spent on XOF evaluation. For performance reasons, we try to use AES wherever we can in order to get hardware support. We end up with a mix of TurboSHAKE128 and AES, which is not ideal. It would be much nicer if we could afford to use a dedicated XOF, but TurboSHAKE128 is not fast enough in software.

A simple way to improve the throughput of TurboSHAKE's output in this application would be to use it in counter mode. This would allow platforms that support SIMD instructions to get a significant speed-up (e.g., 3× with AVX2 on a typical Haswell or Skylake architecture).

More specifically, this would work like XofFixedKeyAes128 to produce a fixed key. But, instead of using AES in counter mode, you could concatenate the outputs of TurboSHAKE128(fixed key || i, D, 168) with i a running counter coded on a fixed number of bits and D an available domain separation value. Parallelizing using SIMD instructions then becomes straightforward.

Kind regards,
Gilles