[CFRG] Re: BLAKE3 I-D

Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Wed, 14 August 2024 22:20 UTC

Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 245FFC1D4CCE; Wed, 14 Aug 2024 15:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D6tLAfpRPQwS; Wed, 14 Aug 2024 15:20:37 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F697C1D52E7; Wed, 14 Aug 2024 15:20:37 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-7104f93a20eso270451b3a.1; Wed, 14 Aug 2024 15:20:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723674037; x=1724278837; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=D/Myzmjf7KNArLC/M2tZggrXhhZBdR0PMQ0GYjYztls=; b=iBXwdahrM8xIBATRXljxbxYjZOqmCtyM7lTA0E25iHSWgVT1cDehm42MHyrG2uREqa OGPh1qXLqIc+bY8lRKhE8axWf4uhYWkoORilIk/qree5i8BSlq8lQixR6xHkbYRujWzz PmUp+8ONDJbidq4jIA9sJ22kygpMcx/Yxrik/wU26bgMBLEGUtjpwXeN7IYoakLvDVjr IToexx9cWOyjUMPnTCtlTh9XQxSsYAXZa7JWy9wwAzHGBSzhhfrR4hPg6uPurcXMFD6u Ri0wHs4UdrSoWQRirv1ajw7HvNqPZlg/C32BdjcvwBBuw6Mxy1wB8H8MdsjqOTMc5Rog IVCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723674037; x=1724278837; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=D/Myzmjf7KNArLC/M2tZggrXhhZBdR0PMQ0GYjYztls=; b=cVvXDCOXqcUHB1zfJ4qVzvz6T4CBSU2QNlG2x3Bx1qkv5VDlJOsvGuW+iwVrGraL+B /BgMYlMrjbVH3dr6bONGVOuDYvyuGHyrBLgHR9Up8oIrY8xRLmMogEGHEvXcZqf+EwBc Fnw/iVZfRZMQhLXyfRVy6WpG0UeGS5uuxeAPKu+C+rsTvcXmzmOeDNVQDnQH5nx6Wyy8 W4lHdSM1PvlDU98pwSoJQELmlxAnQfEim8tjr8oXinzRDR1YbmYP6Yvh5Qg7QVo8fHAy Yf7nZrolrs2J9TIn0oN2iWrGkKlyW6n/hSUZDU8X6AbNmPaqX0w8l2nGVe/k2b5e98Y7 lWeA==
X-Forwarded-Encrypted: i=1; AJvYcCVae/feR0YlzaKtUzG3p5pCgHaH/dupBAoTphSqhmmcRf1PcJs0joPSXcqqyuiUT9r2OBcDAw==@ietf.org, AJvYcCXIjRMYm5kTbJOLOjLdKaFVuaAKZnEkrFzZ4DAcvDHubuoiWYSxAD14SsU+efdviJfEluP+Q1WK13V2hg==@ietf.org
X-Gm-Message-State: AOJu0YweLxcRyvK8ar9jQkOhbgDUV+1ByyTPBvLSQeFhdbWDXHlIlrtj PESavvlK7kr4G8jwnMucxz1yPbkVLBsWdNFNODqNkRTR3/GEh9DwRnBHYT6bXJDSbK2Sbq03Vmg aF1OTXnL2plhWp1E7wR91z618+h0=
X-Google-Smtp-Source: AGHT+IFFDxN5fHi1uNuiv9qJZBRxQ69HfLtJz2MhysAASYtXIQYUv+IKH3P2nemfKgBOA4RgzmzS81fJT7feKjr6ZLw=
X-Received: by 2002:a05:6a20:a914:b0:1c8:eb57:e9fc with SMTP id adf61e73a8af0-1c8eb57ea60mr3706480637.0.1723674036683; Wed, 14 Aug 2024 15:20:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com>
In-Reply-To: <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Wed, 14 Aug 2024 15:20:20 -0700
Message-ID: <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com>
To: Christopher Patton <cpatton@cloudflare.com>
Content-Type: multipart/alternative; boundary="000000000000aa4b5a061fac228e"
Message-ID-Hash: AHVFKAQSE6GRLGKTV42SYKRJWIZJ7OGU
X-Message-ID-Hash: AHVFKAQSE6GRLGKTV42SYKRJWIZJ7OGU
X-MailFrom: jeanphilippe.aumasson@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jack O'Connor <oconnor663@gmail.com>, cfrg@ietf.org, cfrg-chairs@ietf.org, Zooko O'Whielacronx <zookog@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/jbYXGlVFyOZt1gA5wNAmQ7QRLWQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hey Chris, all

Thanks for following up, please see my answers below:

On Wed 14 Aug 2024 at 13:35 Christopher Patton <cpatton@cloudflare.com>
wrote:

>
>
>> The main difference between B3 and K12 in this case is that, while both
>> make extensive use of SIMD parallelism, only b3sum is multithreaded.
>> k12sum could use multithreading in theory, but in practice I'm not aware
>> of any multithreaded implementations of K12. The difference in tree
>> structures is important: B3 is a binary tree with the usual recursive
>> structure, which lets us use "divide-and-conquer" / "fork-join" parallelism
>> of the sort provided by OpenMP in C/C++ or Rayon in Rust. K12 has a
>> shallow/one-parent structure, which would need some sort of job queue with
>> more synchronization and tuning, and the root note itself can be a
>> bottleneck. (TurboSHAKE has a serial structure and can't take much
>> advantage of SIMD or threads, which is a major performance disadvantage on
>> modern machines.)
>>
>
> For my own edification, what applications benefit from the tree structure?
> Does this create overhead if you are only hashing with a single thread?
>

Essentially all apps where you hash more than a handful KBs, be it bare
metal or via vCPUs. With a single-thread B3 still parallelizes at the
instruction level via SIMD instructions. Single-threading incurs minimal
overhead, and in this case B3's performance remains superior to standard
crypto hash functions.


>
>> The B3 XOF is counter-based, similar to ChaCha or AES-CTR, which makes it
>> parallelizable and suitable as a stream cipher or a high-performance
>> CSPRNG. K12 and TurboSHAKE use a sponge-style XOF that isn't parallelizable.
>>
>
> This seems valuable, but I wonder if it limits how one might use BLAKE3.
> Would you recommend BLAKE3 for instantiating random oracles?
>


Yes B3's construction is indifferentiable from an RO, making it suitable to
instantiate ROs as much as SHA3.

>
We (B3 team) will be happy to answer any questions regarding B3's design
and performance, and how they compare to K12. However, we should try to
avoid a prolonged  "K12 vs B3" debate that would be unproductive for
everyone involved. Regardless of K12's (and other Keccak family members')
undeniable merits, our goal with this submission is to meet the needs of
the organizations and projects that wish to use B3 but require some formal
validation (typically for compliance reasons or other red tape situations).
For example, we're regularly asked when B3 will make it into OpenSSL but it
seems that it will be challenging without some formal standardization of
the specs.

As Jack pointed out, a number of prominent projects already integrated B3,
to benefit from its performance and production-ready software. A tremendous
amount of work was done by Jack and Samuel to create and maintain reliable
and efficient code in https://github.com/BLAKE3-team/BLAKE3, a repo now
with 5k+ stars. We believe that, more than our technical arguments in favor
of B3, its popularity among users speaks for itself.

(re-adding Samuel to the thread)


>