Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01

Benoît Viguier <b.viguier@cs.ru.nl> Tue, 18 February 2020 14:45 UTC

Return-Path: <b.viguier@cs.ru.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D7DE1201E0 for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2020 06:45:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8Wdt6iYV1tk for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2020 06:45:47 -0800 (PST)
Received: from smtp3.science.ru.nl (smtp3.science.ru.nl [131.174.30.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA1D31201A3 for <cfrg@irtf.org>; Tue, 18 Feb 2020 06:45:46 -0800 (PST)
Received: from [145.116.133.10] (ip-145-116-133-10.wlan-int.ru.nl [145.116.133.10]) (authen=benoit) by smtp3.science.ru.nl (8.15.2/5.32) with ESMTPSA id 01IEjjev001710 for <cfrg@irtf.org>; Tue, 18 Feb 2020 15:45:45 +0100
To: cfrg@irtf.org
References: <DF952AED-7578-47B8-B42F-F6A18A927C31@isode.com> <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie>
From: =?UTF-8?Q?Beno=c3=aet_Viguier?= <b.viguier@cs.ru.nl>
Message-ID: <d3e393fd-16b7-9b74-56ce-97e2f8032709@cs.ru.nl>
Date: Tue, 18 Feb 2020 15:45:45 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ki-HlCLh0lK-lzHFyn6jTP81S_M>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 14:45:50 -0000

Dear Stephen,

Thank you for your comments on our draft!

Please find below some answers and comments.

On 2/16/20 3:53 PM, Stephen Farrell wrote:
> Hiya,
>
> On 16/02/2020 11:16, Alexey Melnikov wrote:
>> Dear CFRG participants,
>>
>> This message is starting 2 weeks RGLC on
>> draft-irtf-cfrg-kangarootwelve-01 ("KangarooTwelve"), that will end
>> on March 1st 2020. If you've read the document and think that it is
>> ready (or not ready) for publication as an RFC, please send a message
>> in reply to this email or directly to CFRG chairs
>> (cfrg-chairs@ietf.org). If you have detailed comments, these would
>> also be very helpful at this point.
> I had my 1st read of this and think it needs a bit of
> work, but am overall unclear if it ought be published
> now. (I also looked back at the list archive messages
> referring to k12.)
>
> I don't think CFRG ought be publishing very novel
> algorithm RFCs and am unclear how much study k12 has
> gotten outside the author team. The main reference
> given [1] has pointers to lots of work with titles that
> mention reduced-round keccak but it's unclear (to me,
> not having read 'em;-) how  relevant those are to k12.

Actually, all cryptanalysis of Keccak/SHA-3 is relevant to K12.
Cryptanalysis resources are scarce, we chose as an explicit design goal
to make K12 rely on cryptanalysis of Keccak/SHA-3.

To be more precise, K12 is made of two layers:

1) The inner function F. This layer relies on cryptanalysis. K12's F
function is exactly Keccak[r=1344, c=256] (as in SHAKE128) reduced to 12
rounds (no tweaks!). Hence, any reduced-round cryptanalysis on Keccak is
also a reduced round cryptanalysis of K12's F (provided the number of
rounds attacked is not higher than 12 of course).

2) The tree hashing over F. This layer is a mode on top of F that does
not introduce any vulnerability thanks to the use of Sakura coding
proven secure in the paper [Bertoni et al., ACNS 2014].

This reasoning is detailed and formalized in the paper [Bertoni et al.,
ACNS 2018], which is peer-reviewed.

> [1] is also used as [KECCAK_CRYPTANALYSIS] in the draft
> and is where the authors are pointing us to find
> security analysis of k12. I don't think an author-
> maintained web page like that is really good enough
> as the key reference for an RFC like this.

Good point indeed!

One option would be that we put all the references in the RFC. We are
not sure this is the right place for it, as we see an RFC more as
implementation guide rather than an analysis paper. For example:
https://tools.ietf.org/html/rfc7748 does not mention anything with
respect to the security of X25519 which is detailed in section 3 of
https://www.iacr.org/cryptodb/archive/2006/PKC/3351/3351.pdf.
Nevertheless, we are open to this option.

Another option would be to refer to [K12, Section 5]. In that section
attacks with the highest number of rounds are discussed and
corresponding paper are referred to. However with the possible
appearance of new cryptanalysis results, this section would become outdated.

> I totally get why the authors would find that
> easier/better, but that won't be true for a reader in
> 20 years time, so better to put in the precise
> references now. That should also clarify the extent to
> which those are about k12 (as defined here) and not
> about something else.
We agree with this, however Keccak cryptanalysis directly applies to K12.
> I think the references really need fixing before this
> ought be published. I'm not sure where the right line
> ought be drawn in terms of maturity of an algorithm
> before CFRG blesses it with an RFC. <4 years does seem
> short, even if this is strongly based on keccak. (Hence
> me being unsure overall.)
For us the maturity amounts to more than 4 years. Being SHA-3, Keccak is
a high-profile cryptanalysis target. As we did not tweak the round
function, K12 relies on sustained cryptanalysis since 2008.
> Separately, the draft could benefit from some guidance
> as to when this is thought to be useful - presumably
> that's when one wants a hash output that's >512 bits.
> IIRC, there are other RFCs (forget numbers, sorry),
> that describe how to get such outputs using standard
> hash functions. If there are such RFCs, it'd be good
> to reference those. Either way saying why and when this
> is preferable to use of standard hash functions would
> be good.
The standard hash functions (SHA-1 and SHA-2) are subject to length
extension attacks. And in all cases, K12 will be faster than SHA-3. If
that makes it clearer, we could add a short guidance as to when the user
can benefit the most from K12. We could simply reuse the arguments from
these slides: https://benoit.viguier.nl/files/K12atMontreal.pdf
> Other than the above, the draft seems clear (though
> I didn't try implement) and many thanks for not
> defining the usual pile of pointless variants/options:-)

Thanks, yes, that was another design goal for K12.

-- 
Kind regards,

Benoît Viguier
Software Engineer - PhD Student | Cryptography & Formal Methods
Radboud University | Mercator 1, Toernooiveld 212
6525 EC Nijmegen, the Netherlands | www.viguier.nl