Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
Benoît Viguier <b.viguier@cs.ru.nl> Tue, 18 February 2020 14:45 UTC
Return-Path: <b.viguier@cs.ru.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D7DE1201E0 for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2020 06:45:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8Wdt6iYV1tk for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2020 06:45:47 -0800 (PST)
Received: from smtp3.science.ru.nl (smtp3.science.ru.nl [131.174.30.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA1D31201A3 for <cfrg@irtf.org>; Tue, 18 Feb 2020 06:45:46 -0800 (PST)
Received: from [145.116.133.10] (ip-145-116-133-10.wlan-int.ru.nl [145.116.133.10]) (authen=benoit) by smtp3.science.ru.nl (8.15.2/5.32) with ESMTPSA id 01IEjjev001710 for <cfrg@irtf.org>; Tue, 18 Feb 2020 15:45:45 +0100
To: cfrg@irtf.org
References: <DF952AED-7578-47B8-B42F-F6A18A927C31@isode.com> <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie>
From: Benoît Viguier <b.viguier@cs.ru.nl>
Message-ID: <d3e393fd-16b7-9b74-56ce-97e2f8032709@cs.ru.nl>
Date: Tue, 18 Feb 2020 15:45:45 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ki-HlCLh0lK-lzHFyn6jTP81S_M>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 14:45:50 -0000
Dear Stephen, Thank you for your comments on our draft! Please find below some answers and comments. On 2/16/20 3:53 PM, Stephen Farrell wrote: > Hiya, > > On 16/02/2020 11:16, Alexey Melnikov wrote: >> Dear CFRG participants, >> >> This message is starting 2 weeks RGLC on >> draft-irtf-cfrg-kangarootwelve-01 ("KangarooTwelve"), that will end >> on March 1st 2020. If you've read the document and think that it is >> ready (or not ready) for publication as an RFC, please send a message >> in reply to this email or directly to CFRG chairs >> (cfrg-chairs@ietf.org). If you have detailed comments, these would >> also be very helpful at this point. > I had my 1st read of this and think it needs a bit of > work, but am overall unclear if it ought be published > now. (I also looked back at the list archive messages > referring to k12.) > > I don't think CFRG ought be publishing very novel > algorithm RFCs and am unclear how much study k12 has > gotten outside the author team. The main reference > given [1] has pointers to lots of work with titles that > mention reduced-round keccak but it's unclear (to me, > not having read 'em;-) how relevant those are to k12. Actually, all cryptanalysis of Keccak/SHA-3 is relevant to K12. Cryptanalysis resources are scarce, we chose as an explicit design goal to make K12 rely on cryptanalysis of Keccak/SHA-3. To be more precise, K12 is made of two layers: 1) The inner function F. This layer relies on cryptanalysis. K12's F function is exactly Keccak[r=1344, c=256] (as in SHAKE128) reduced to 12 rounds (no tweaks!). Hence, any reduced-round cryptanalysis on Keccak is also a reduced round cryptanalysis of K12's F (provided the number of rounds attacked is not higher than 12 of course). 2) The tree hashing over F. This layer is a mode on top of F that does not introduce any vulnerability thanks to the use of Sakura coding proven secure in the paper [Bertoni et al., ACNS 2014]. This reasoning is detailed and formalized in the paper [Bertoni et al., ACNS 2018], which is peer-reviewed. > [1] is also used as [KECCAK_CRYPTANALYSIS] in the draft > and is where the authors are pointing us to find > security analysis of k12. I don't think an author- > maintained web page like that is really good enough > as the key reference for an RFC like this. Good point indeed! One option would be that we put all the references in the RFC. We are not sure this is the right place for it, as we see an RFC more as implementation guide rather than an analysis paper. For example: https://tools.ietf.org/html/rfc7748 does not mention anything with respect to the security of X25519 which is detailed in section 3 of https://www.iacr.org/cryptodb/archive/2006/PKC/3351/3351.pdf. Nevertheless, we are open to this option. Another option would be to refer to [K12, Section 5]. In that section attacks with the highest number of rounds are discussed and corresponding paper are referred to. However with the possible appearance of new cryptanalysis results, this section would become outdated. > I totally get why the authors would find that > easier/better, but that won't be true for a reader in > 20 years time, so better to put in the precise > references now. That should also clarify the extent to > which those are about k12 (as defined here) and not > about something else. We agree with this, however Keccak cryptanalysis directly applies to K12. > I think the references really need fixing before this > ought be published. I'm not sure where the right line > ought be drawn in terms of maturity of an algorithm > before CFRG blesses it with an RFC. <4 years does seem > short, even if this is strongly based on keccak. (Hence > me being unsure overall.) For us the maturity amounts to more than 4 years. Being SHA-3, Keccak is a high-profile cryptanalysis target. As we did not tweak the round function, K12 relies on sustained cryptanalysis since 2008. > Separately, the draft could benefit from some guidance > as to when this is thought to be useful - presumably > that's when one wants a hash output that's >512 bits. > IIRC, there are other RFCs (forget numbers, sorry), > that describe how to get such outputs using standard > hash functions. If there are such RFCs, it'd be good > to reference those. Either way saying why and when this > is preferable to use of standard hash functions would > be good. The standard hash functions (SHA-1 and SHA-2) are subject to length extension attacks. And in all cases, K12 will be faster than SHA-3. If that makes it clearer, we could add a short guidance as to when the user can benefit the most from K12. We could simply reuse the arguments from these slides: https://benoit.viguier.nl/files/K12atMontreal.pdf > Other than the above, the draft seems clear (though > I didn't try implement) and many thanks for not > defining the usual pile of pointless variants/options:-) Thanks, yes, that was another design goal for K12. -- Kind regards, Benoît Viguier Software Engineer - PhD Student | Cryptography & Formal Methods Radboud University | Mercator 1, Toernooiveld 212 6525 EC Nijmegen, the Netherlands | www.viguier.nl
- [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01 Alexey Melnikov
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Dan Brown
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Gilles Van Assche