[CFRG] Re: I-D Action: draft-irtf-cfrg-aegis-aead-12.txt
Eric Biggers <ebiggers@kernel.org> Mon, 23 September 2024 17:21 UTC
Return-Path: <ebiggers@kernel.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A44EC14F700; Mon, 23 Sep 2024 10:21:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kernel.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDhQJCfyf33m; Mon, 23 Sep 2024 10:21:28 -0700 (PDT)
Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25D30C14F610; Mon, 23 Sep 2024 10:21:28 -0700 (PDT)
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 5E3C8A425FD; Mon, 23 Sep 2024 17:21:19 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E26D3C4CEC4; Mon, 23 Sep 2024 17:21:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1727112087; bh=Ntyu58OXnxhyKP9warUgW1P2c5guyD7SC2kWdoLmRDg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DCgdAq+20fJIE44v2qz9N2EEMSWJ1vWTq5W498CTv0jbrE1oHUSEjGXYG+VHTBUbS mrBwGaC6YxzyDMBBP0bSSX5TqAtpJn+f+V3qlU6cRUAHoRCRbPCttT0Fi0UZFZjfns y8rtw/6r4F9YZqbcL96+1k6h0Vve1Eghmozjgvu24HBgbeCIXfNHoVDigjwLwRxObb nsdyH90Wzam5g42eQVGBLFIIJv3ZZgyMtHgK6cwlUZOyIWDSds1jf3dtZeX5mu8NoK npwpM7nucIujb2N/42pOqaSodoJxBS+575ppfp1UkuVN1dVdnL5QyI2q9etOkjl+Iv /7soeJCcpD2wQ==
Date: Mon, 23 Sep 2024 10:21:25 -0700
From: Eric Biggers <ebiggers@kernel.org>
To: cfrg@ietf.org
Message-ID: <20240923172125.GA1102@sol.localdomain>
References: <172709117837.1194890.6588912093526372051@dt-datatracker-65695bf5bc-rgg8z>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <172709117837.1194890.6588912093526372051@dt-datatracker-65695bf5bc-rgg8z>
Message-ID-Hash: XUQVDAFKGE4H6UUGUL6JIIWJLBQMOMBY
X-Message-ID-Hash: XUQVDAFKGE4H6UUGUL6JIIWJLBQMOMBY
X-MailFrom: ebiggers@kernel.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: i-d-announce@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-aegis-aead-12.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/d5WZY2Na2vppT7FT24Cr1OCMsnU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
On Mon, Sep 23, 2024 at 04:32:58AM -0700, internet-drafts@ietf.org wrote: > Internet-Draft draft-irtf-cfrg-aegis-aead-12.txt is now available. It is a > work item of the Crypto Forum (CFRG) RG of the IRTF. > > Title: The AEGIS Family of Authenticated Encryption Algorithms > Authors: Frank Denis > Samuel Lucas > Name: draft-irtf-cfrg-aegis-aead-12.txt > Pages: 63 > Dates: 2024-09-23 > > Abstract: > > This document describes the AEGIS-128L, AEGIS-256, AEGIS-128X, and > AEGIS-256X AES-based authenticated encryption algorithms designed for > high-performance applications. > > The document is a product of the Crypto Forum Research Group (CFRG). > It is not an IETF product and is not a standard. > > Discussion Venues > > This note is to be removed before publishing as an RFC. > > Source for this draft and an issue tracker can be found at > https://github.com/cfrg/draft-irtf-cfrg-aegis-aead. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-irtf-cfrg-aegis-aead-12.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-aegis-aead-12 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts Thanks for the updated draft. I noticed that AEGIS-128X and AEGIS-256X are now included and have been since v6 of the draft. I haven't looked into the cryptography in detail here, but I wanted to express support for designing algorithms that allow for larger amounts of parallelism -- as AEGIS-128X and AEGIS-256X are intended to do, and many existing algorithms like AES-GCM do. Due to the Vector AES extension and improved AVX-512 support in recent x86_64 CPUs, recent x86_64 CPUs can en/decrypt 16 or even 32 AES blocks in parallel. For example, on AMD's "Zen 5" CPUs that have a full 512-bit data path, the 'vaesenc ZMM, ZMM, ZMM' instruction has a latency of 4 cycles and a reciprocal throughput of 0.5 cycles. Since 8 of these instructions can be executed in parallel, and each one operates on a 512-bit register containing 4 AES blocks, this means that up to 32 AES blocks can be encrypted in parallel. I recently wrote AES-XTS and AES-GCM implementations that take advantage of the x86_64 Vector AES and VPCLMULQDQ extensions. Except for one AES block encryption per message (for the tweak and authentication tag respectively), both algorithms are fully parallel, so this was possible to do. I looked into optimizing AEGIS similarly, but I noticed that the "accepted" variant of AEGIS, AEGIS-128, only supports 5 parallel AES round functions. I guess it was assumed this would be sufficient, but that's no longer the case. AEGIS-128 naturally results in an implementation using 128-bit vector registers, which uses only about a quarter of the CPU's resources, and there is not much point trying to optimize the code further as the algorithm definition makes it impossible. Now, I don't know how practical it is to define more AEGIS variants when AEGIS-128 was the one selected in CAESAR -- maybe it's "too late"? But, I did want to express support in principle for fixing the limited level of parallelism in AEGIS, and it looks like AEGIS-128X and AEGIS-256X do this. - Eric
- [CFRG] I-D Action: draft-irtf-cfrg-aegis-aead-12.… internet-drafts
- [CFRG] Re: I-D Action: draft-irtf-cfrg-aegis-aead… Eric Biggers