[CFRG] Re: BLAKE3 I-D

Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Thu, 15 August 2024 23:45 UTC

Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68669C14CEFE; Thu, 15 Aug 2024 16:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJwyRVJ16g5y; Thu, 15 Aug 2024 16:45:50 -0700 (PDT)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BABA1C14F694; Thu, 15 Aug 2024 16:45:50 -0700 (PDT)
Received: by mail-pj1-x1030.google.com with SMTP id 98e67ed59e1d1-2d3d7a1e45fso577673a91.3; Thu, 15 Aug 2024 16:45:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723765550; x=1724370350; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eaYWehTDE7fNqlbXq0AOdfLtEaBCG8eyTzTjvaQBO5U=; b=B2svdBCYMrNzxCGCbvyXX0Nn8bPiJMpKtJzF2z8yLSI1+hl8T6Jmc4m8NbkAS/jDXK a6/2XvmIvVImVbo+prXE0s53iMZ4qE0i0lTig4dGH5/98fPqn6/NCAvxHFakRZ4kfBU8 OKwjVRBr4DCeF3iXpKNwpx/14xd39Mh9o410Jv+vD7eY21mrGoaQBUuLfyOrMOtaM55G 2kWJV7Hl4dM2VuxxSpNKOJIrdqJtmoh5jXfo1dvnTOPffdkgRFUuDI+AQjSbWKHEMLc9 NPzycWdBZmjo0UzjfBU7YSWyGEqavxqXoQXvkBuQZ0FUiw8/vRcG6DSOQpuFf/wP4aCA AY0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723765550; x=1724370350; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eaYWehTDE7fNqlbXq0AOdfLtEaBCG8eyTzTjvaQBO5U=; b=dWh42nOKqfBQy+/PfjCd+gp5S4FVLMkcRRIJMmHyoWVErZnVM+/y84doQ2eK6gN/zH Cetwp3+l2mitwa+4qIRMvb7oZOlzWRTMHIVd5iKo9UVgD2WoB+7L4foaDECdbh+07iAL NxaoJ8FkYLGmNi2Te8mtBC6Pn0aw6UMfKNLNlO8le58kPsy5bBzHzOH8zw42wWxfBb+d MREPto90wpAHzqPvqp1VkE4cMFo7f2ne848tiXioHtkbukQKQTttc0hmaKs1JOGdL3wo JrkdMbmQXiP0kSv0KN+xjNGqZupSUN6fdyd5RmR3TJG92zmyLegp6uSpABl0ePVXr/2e 3eJQ==
X-Forwarded-Encrypted: i=1; AJvYcCV/+IiyqASgV+zgbPO0r+kHbsDfFxEwDeKLgYGKmaI4W8X8sBQH2hFhyMjVJI4jMo+pT52sVapo9nnRfAqi8AStICLetUpX3iEBdf3xr4s4EsxH1A==
X-Gm-Message-State: AOJu0YxiuyYDot9wEoTf7ybIisKNi3xWlKCymJ+ptqPJmrmbd7KQlBeY BtLaFTad4aLgL8ijryv1VfRL9i1oj7HewtJsWMKUDFenDgu4OIzLUQnNNYTw7S04TOxNRonfE5R C1xfWc5G3sffUKqey+y7S/JXQIAk=
X-Google-Smtp-Source: AGHT+IGkVEoyIc5/gmRSzC21jV2UiVXdMBbnS3N94uU26ewpwFmasM7YrjfsNyAZdw4Pz/YrXoRQ3ylARGKE98M2/3A=
X-Received: by 2002:a17:90b:4d8f:b0:2c9:a3d4:f044 with SMTP id 98e67ed59e1d1-2d3dffc0f59mr1292681a91.11.1723765550089; Thu, 15 Aug 2024 16:45:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com>
In-Reply-To: <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Thu, 15 Aug 2024 16:45:33 -0700
Message-ID: <CAGiyFdd_Azx+f_dMPQH-Dt3GpP3kkchVgghnzmeK9TE7tDKyEg@mail.gmail.com>
To: Christopher Patton <cpatton@cloudflare.com>
Content-Type: multipart/alternative; boundary="0000000000004a0d6e061fc17141"
Message-ID-Hash: P7OO35YTJHMJVQF6LUVSLZZD6K6BAOOY
X-Message-ID-Hash: P7OO35YTJHMJVQF6LUVSLZZD6K6BAOOY
X-MailFrom: jeanphilippe.aumasson@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jack O'Connor <oconnor663@gmail.com>, cfrg@ietf.org, cfrg-chairs@ietf.org, Zooko O'Whielacronx <zookog@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fPK6A6QtGyAUL745wUUK7XJvSQU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

>From my recollection, I was a reviewer of HPKE and suggested that it
supports an arbitrary KDF (SHA3- or B3-based, for example) rather than the
specific, suboptimal HKDF construction; see
https://gist.github.com/veorq/76196fde31390a8696eac7e062c7b2ea.
(Made a similar argument a while ago for the Noise protocol and kinda
remember that HKDF was deemed more reliable and more "probably secure"; in
some other contexts HKDF is preferable as a default KDF because of its
direct FIPSness.)

Anyway, I'm not sure that the speed difference would be significant though,
as hash-like computation is dwarfed by that of pubkey ops in the protocols
you cite.

On Thu 15 Aug 2024 at 14:06 Christopher Patton <cpatton@cloudflare.com>
wrote:

> Hi all,
>
> Before adopting BLAKE3, I think it would be useful to see how much of a
> difference it would make in our applications. I would suggest looking
> through RFCs published by CFRG and assess how performance would change if
> they could have used BLAKE3. Off the top of my head:
> - RFC 9180 - HPKE (replace HKDF?)
> - draft-irtf-cfrg-opaque - OPAQUE
> - RFC 9380 - hashing to elliptic curves
>
> I'll add my own data point: draft-irtf-cfrg-vdaf. This draft specifies an
> incremental distributed point function (IDPF), a type of function secret
> sharing used in some MPC protocols. Most of the computation is spent on XOF
> evaluation. For performance reasons, we try to use AES wherever we can in
> order to get hardware support. We end up with a mix of TurboSHAKE128 and
> AES, which is not ideal. It would be much nicer if we could afford to use a
> dedicated XOF, but TurboSHAKE128 is not fast enough in software. I threw
> together some benchmarks for B3:
>
> https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1
>
> The results were interesting. Compared to Turbo, B3 is 30% faster, as
> expected. Compared to the baseline (mix of Turbo and AES), B3 is 2-3x
> slower for the client operation, as expected; but the server was slightly
> faster, which frankly is a bit of a mystery. We'll need to dig into the
> code more to be certain, as there may be some obvious inefficiencies on the
> client side. But preliminarily, I would say B3 is probably too slow in
> software for this application.
>
> Chris P.
>
>
>
>
>