Re: [CFRG] Extract-and-expand with KMAC
John Mattsson <john.mattsson@ericsson.com> Sun, 15 November 2020 16:56 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB503A098A for <cfrg@ietfa.amsl.com>; Sun, 15 Nov 2020 08:56:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDKmcyYSMh71 for <cfrg@ietfa.amsl.com>; Sun, 15 Nov 2020 08:56:47 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2044.outbound.protection.outlook.com [40.107.20.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45DA03A0983 for <cfrg@irtf.org>; Sun, 15 Nov 2020 08:56:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P/RU4Hg5//XM9xFVAiiiiI2la0zrXdMHmJa4LeosisVegByX4DKb/OvZ/9ZxOZWrUxGaHwhz7GK6e4ltZdGHEk2n7als/uorVUQXZGmXwSRrxTgIgIncnUGtb4kDyP4On5JdDh5C8k9wbWSUw54ClHsHpj7b4IxAlb/JFLj10ge91V5Fs6KDICs7Eiq3C/ul91jkgRmwoXxO3qfWxCL3JSZj37ZsKHD0XIH4j2v5DffB3vgY9MSP5Ge8zxT6j9upcQtoY79AHb+pwLh7Dx0ApnzKf4V9NH/MsRD7UrFiBTO4PvZtJQvxtgsrmeZx1P1gfB9zorJYWBpGA7ke0+oRMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2jeCX3VmQSzr8oomuU3kp0Ap9dmyRkCwhXAsi9Y/HJY=; b=ajnCMfKv7mw2nR+8Selj3hj25AICMBXsQWPBck4h1t/XnedHSX+krOMG5TWsoT9tkHvWsqfmN0CFuVpauP+kJfl4TLI69vFvDsLHbv0aFhTiVkqJaweQoxW0pFbRnOnEHTv5M5S6rsdcFjfZExr/Ka260nnNX5lSj5pG9r+mwU+K7VPv0k+OSSmc76XlgcJ4Z7SQSeSlro3gGs9D2SAYyrpIfaPW8XYpPtxJ6jqiOhZZgXUnGBNKy6BDa0D+EvNg6OyRhG7ousA0+6t9+PCWKnol0NKUiraOdKhfa9aR5RpDUP9jh1NzpcQbxHyRmCgq3xXGhXALpIHmTo8/wEcBOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2jeCX3VmQSzr8oomuU3kp0Ap9dmyRkCwhXAsi9Y/HJY=; b=uS+LbhpMi3vsFeS25k/98Y/JLx7EvJK+mxxLxESARIwfiTWpdpB2dsbuTyzwQFUpJGGXTOIQLC27g+uWaiiWqgONFK8NHCYEcT8ID9DiU/NLOFIGjDlZHn7OLpP586jzXz4vfBvRx4lNKq1DdVgvGSvqIptpGYg/jpTxrFhzpBo=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB4932.eurprd07.prod.outlook.com (2603:10a6:20b:32::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.10; Sun, 15 Nov 2020 16:56:44 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3564.021; Sun, 15 Nov 2020 16:56:44 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Extract-and-expand with KMAC
Thread-Index: AQHWu1XkK+V8z67lR0WSuO+k6tbdQ6nJZAOAgAAWrAA=
Date: Sun, 15 Nov 2020 16:56:44 +0000
Message-ID: <B6CB4439-9F31-4551-B979-FF59DD80200D@ericsson.com>
References: <467DD0FC-FF7F-453F-98B2-ADC7F0F976B1@ericsson.com> <20201115163535.GA3384456@LK-Perkele-VII>
In-Reply-To: <20201115163535.GA3384456@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: welho.com; dkim=none (message not signed) header.d=none;welho.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9c9c02fd-f0e0-4465-4866-08d889876ef2
x-ms-traffictypediagnostic: AM6PR07MB4932:
x-microsoft-antispam-prvs: <AM6PR07MB49325179A303AF2FE3CB63F389E40@AM6PR07MB4932.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /TunHqXCMemB5j4ycQ84Gvdmzg+pY67x7LKMS0ezlrMp1C9khGh17zrBAWRhvDyLVg/eCNge+mxapbjXYR98yq3+pByit4znSGdLVsn+SNfHA+2HbYQTXzhIMyhKUEpUgwV94ooAPOIscmwPsDpkr4yfYMhbJZtD+HAz7bbIHSSN5P4TyO5pFb5qLY9u4BPLYPsWXzLHzHJlu1eN+I6GPwPKuQvUcjwNgQlD24xQiFJu6KAYfAYGz7tbk+yGRMd+1yzuhSskRICdrUX+VaK3GeAvHPxsV/9D7kqDi94bjstsTblOtZkZMWGw/tqBYS3U+ZQO+Vi05EsYfzcRn8nfKg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(39860400002)(396003)(346002)(366004)(64756008)(91956017)(53546011)(186003)(2906002)(2616005)(44832011)(6506007)(5660300002)(6512007)(6916009)(478600001)(71200400001)(33656002)(86362001)(26005)(66556008)(316002)(6486002)(4326008)(66476007)(66446008)(83380400001)(8676002)(66946007)(76116006)(8936002)(36756003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: vUzywO87V6penoJHTwgfnthx9cxUTJR81hEsACrpmr0avyo4F61V8vNT/2PYWeMu1duMp2wgQd5oC3Tmi0Foy/r/OjssSwqbJ3PhGOlv1IhFq3NsCxFGgdF2QbJAxSS52qyvf97xRFt2uMT3W4Lj3iNQRyxdbKNHAyZsd1qSo1sS4dmbCz1Q0AtLh3Yrxiz3RzioD3rR/Bbx+dTbeBXmessY4MPfIfbLnEWqbbtbk4vLJxvUDjtQE+GqM9dBzLnAyv3nKfX36oXKZsubdYWshMHtz8i7ftxmLBIYXVI5u6j49MjD53vzDvu1uvL7jwPjyTAaDx34gMxOhU3gSLDZmCuIt9OQGBgKojiwQ4A32XUEQoAI5RFRLL0BIeUrcoBp4DRJJDnPzyIMRKA4e7u5acUBPSL4VcOzMOqtd4IahNtjFfdZ+APXwURN0h+rbL6bVNvoLJp5/y/Q2NzZEZG4M3rOUf7+fqAFmCW6MTRj2bMN30NEYTld/bYaZqmWkzTvYhXRFLsmvSk75GrnHaU968a/3RsdTjKwt5dlMUNwOWPZNhAhhqMeaif6V7bTJrukWvsgNA0xc/7vnkEnV5/6mOp1c/6/E501Q7U6VuyhVwou7SKfJoIIZ+oL81a1x4ky45OfTU6nOFRCuogWZ1XOUw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <6A23100521266746B1D57AC52CECF2BD@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9c9c02fd-f0e0-4465-4866-08d889876ef2
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2020 16:56:44.7317 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xhrssv1tpIzt0Mth4a4RPZU3HO1uuC6QIsN4+X3d8BM8Cd0R+oXBgJSW3mHpWcP8dj/pEGSYlPWxnht73cJLeHG9f+y8+xNekyjdNig8UAA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4932
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eyx6PqzCvDh_R1I0xmeMkvMEeZk>
Subject: Re: [CFRG] Extract-and-expand with KMAC
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2020 16:56:49 -0000
Thanks Ilari! -----Original Message----- From: <ilariliusvaara@welho.com> on behalf of Ilari Liusvaara <ilariliusvaara@welho.com> Date: Sunday, 15 November 2020 at 17:35 To: John Mattsson <john.mattsson@ericsson.com> Cc: CFRG <cfrg@irtf.org> Subject: Re: [CFRG] Extract-and-expand with KMAC On Sun, Nov 15, 2020 at 01:47:42PM +0000, John Mattsson wrote: > Hi, > > HMAC is needed to mitigate the length extension weakness of SHA-2. > SHAKE does not have this weakness and NIST has therefore > standardized the simple and efficient KMAC mode. What I do not like about KMAC is that the spec is somewhat difficult to understand (even if it is not quite as bad as FIPS202), and seemingly lacks any usable test vectors (where usable means everything is multiple of octet; I have not found unofficial ones either). (KMAC is closely related to cSHAKE, and I did find some unofficial(?) test vectors for cSHAKE. Those test vectors were very useful when writing implementation of cSHAKE.) > LAKE WG is discussing using KMAC in a extract-and-expand fashion > similar to HKDF. However, there are several options when mapping the > KDF Extract and Expand interfaces to KMAC(K, X, L, S). > > Would the following be reasonable for KMAC128, or would CFRG suggest > something else? > > PRK = Extract(salt, IKM) = KMAC128(salt, IKM, 256, “”) > OKM = Expand(PRK, L, info) = KMAC128(PRK, “”, L, info) The S parameter is contextualization and processed before K, so one should not stick arbitrary and/or possibly attacker-controlled things in S. If one just did raw substitution inside HKDF and eliminated the redundant counter octet (since first block is always enough), one would obtain: PRK = Extract(salt, IKM) = KMAC128(salt, IKM, 256, "") OKM = Expand(PRK, L, info) = KMAC128(PRK, info, L, "") One might want to contextualize those two, to obtain something like: PRK = Extract(salt, IKM) = KMAC128(salt, IKM, 256, "KDF extraction") OKM = Expand(PRK, L, info) = KMAC128(PRK, info, L, "KDF expansion") No further contextualization is possible without going beyond present KDF interface. For 256-bit level, just replace KMAC128 by KMAC256, and 256 with 512. This also has the property that if multiple expansions are computed from the same PRK, one can precompute the first two Keccak-F invocations and share those among the different expansions of the PRK. > Or should maybe the Extract and Expand intefaces be updated with more parameters? Wouldn't that cause serious API issues? Adding parameters to interfaces can cause serious issues, especially when the parameters are sometimes available and sometimes not. -Ilari
- [CFRG] Extract-and-expand with KMAC John Mattsson
- Re: [CFRG] Extract-and-expand with KMAC John Mattsson
- Re: [CFRG] Extract-and-expand with KMAC Ilari Liusvaara
- Re: [CFRG] Extract-and-expand with KMAC Jonathan Hammell
- Re: [CFRG] Extract-and-expand with KMAC Ruggero SUSELLA
- Re: [CFRG] Extract-and-expand with KMAC Gilles VAN ASSCHE
- Re: [CFRG] Extract-and-expand with KMAC rsw
- Re: [CFRG] Extract-and-expand with KMAC Dang, Quynh H. (Fed)
- Re: [CFRG] Extract-and-expand with KMAC rsw@jfet.org
- Re: [CFRG] Extract-and-expand with KMAC Gilles VAN ASSCHE