[CFRG] Re: BLAKE3 I-D
Chris Barber <cbarbernash@gmail.com> Wed, 21 August 2024 16:51 UTC
Return-Path: <cbarbernash@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5C5C14F74A; Wed, 21 Aug 2024 09:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Df-t9Q0fw1e; Wed, 21 Aug 2024 09:51:09 -0700 (PDT)
Received: from mail-yb1-xb41.google.com (mail-yb1-xb41.google.com [IPv6:2607:f8b0:4864:20::b41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D03CDC14F714; Wed, 21 Aug 2024 09:51:09 -0700 (PDT)
Received: by mail-yb1-xb41.google.com with SMTP id 3f1490d57ef6-e116ec43a4aso7493556276.0; Wed, 21 Aug 2024 09:51:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724259068; x=1724863868; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=VP8w3XtmkfNenSZSJySCVF2EYKLzYJtOruHZ4prZHm8=; b=j2BHJ4YPMf14YmN0cqbFdH0hpXDBphoO6XC5eRrxPNsCrw9/AxwoRzGgGdzfk4/9k/ +ZZPTwUcdQEuci88ZM4wlFhV8xrf57crA2ENfiR/xTG8HElqDGs0OXH7U8xPoX08dZkf FEQt3AJjKtoyzYIBj5ggCIKwiwCjGncmVNumqvSxgg+ceWPxh4thnYCGhsAXXTbcXTsX HxSF23/oqUzlVHkV7I+JWIpnupjI87TkJW7cFoq3T/hzcrC4ZuTUhYjEEBXyMA4x7Qur 0UeKImevL1GYcc2sT8fW3YT39+c44MhNqIKBmCTlromuSM9nV7poMcEQTe5x+WTuep6Q bcqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724259068; x=1724863868; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VP8w3XtmkfNenSZSJySCVF2EYKLzYJtOruHZ4prZHm8=; b=cVp8+VMhzW0JYmkRDLu3CnhPP/l4SLhGygeD11Hv/Bn5vQoNaF35xvCHP/WPjZnzWi /zoCHAgfANRy8Z7KHRZMcNZ0Gz6jDxQL+5xlcHs/xDiAYd+RCUPaNC4BEMY3TVVSlNjo jb89qZinrWn0DTVxcmMXdWYsSW+y9shrLsJ3j2O/OTqRKrLLKDK/sGkFW7Siv31jbxns DI3UGRzxPduk8rVbN8Zgod8P0owxj1KomW1vcE1ncgrc1WQQCoLk7g9I7tLyItkMlZBa k4DYYNKG+GyCcCOKRsGOz1KLXg0iTMRXZ6KmuWoZIjP5uArn9R1yZGKwnaEa8TG4hoNo f42g==
X-Forwarded-Encrypted: i=1; AJvYcCVvO1oKjmsaQ9kFqfzLGQg2+RKVuAUka0CkMVKoG18Yi73WIPk11YuBFwqjLjW1ocVJCOVi@ietf.org
X-Gm-Message-State: AOJu0YyYS8JszVAYHl7MEwK3sgLSRG7/DPs4fSsewts/0XBFq19Ywksv OkQTNX6KqNy5hf7I5cd6SCwbHprWWo8K7alnbT92I2XQQNILCef/KSPF+HfmvddyXJzWTt5SKfa 4qUOHI8TeUWWo5gfZGwgYb/U22naQPLH2wIM=
X-Google-Smtp-Source: AGHT+IHHOjJ4IoA/fmnTH7a5WBdny39EPWmLI4XjgsJ83TtIPEcyHCVK8zoPSt5QT0xGmISnWWwlPtiS5LEVjMz4kK8=
X-Received: by 2002:a05:6902:2588:b0:e13:dd44:384c with SMTP id 3f1490d57ef6-e166640244cmr3178473276.21.1724259068458; Wed, 21 Aug 2024 09:51:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com>
In-Reply-To: <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com>
From: Chris Barber <cbarbernash@gmail.com>
Date: Wed, 21 Aug 2024 18:50:57 +0200
Message-ID: <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com>
To: cfrg-chairs@ietf.org, cfrg@ietf.org
Content-Type: multipart/alternative; boundary="00000000000046c09706203459ad"
Message-ID-Hash: TVW46RYCE64R5ZHKSMEQRREWHDMI65H4
X-Message-ID-Hash: TVW46RYCE64R5ZHKSMEQRREWHDMI65H4
X-MailFrom: cbarbernash@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oo08h_PoXbg1MnT6fN2Ur7s3hpU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Dear Chris, You are comparing specific implementations on a particular CPU, not the algorithms themselves. The "sha3" library you are using is not optimized and may not accurately reflect the performance of TurboSHAKE compared to, for example, XKCP. In software, the performance of BLAKE3 and TurboSHAKE/KT12 is theoretically very close but highly dependent on the implementation in practice. Since this discussion is about adoption, I believe it would be more relevant to compare the algorithms themselves. What properties does BLAKE3 have that TurboSHAKE doesn't? "it's already used a lot in the wild" can be sufficient to justify a specification. On Thu, Aug 15, 2024 at 11:07 PM Christopher Patton <cpatton= 40cloudflare.com@dmarc.ietf.org> wrote: > Hi all, > > Before adopting BLAKE3, I think it would be useful to see how much of a > difference it would make in our applications. I would suggest looking > through RFCs published by CFRG and assess how performance would change if > they could have used BLAKE3. Off the top of my head: > - RFC 9180 - HPKE (replace HKDF?) > - draft-irtf-cfrg-opaque - OPAQUE > - RFC 9380 - hashing to elliptic curves > > I'll add my own data point: draft-irtf-cfrg-vdaf. This draft specifies an > incremental distributed point function (IDPF), a type of function secret > sharing used in some MPC protocols. Most of the computation is spent on XOF > evaluation. For performance reasons, we try to use AES wherever we can in > order to get hardware support. We end up with a mix of TurboSHAKE128 and > AES, which is not ideal. It would be much nicer if we could afford to use a > dedicated XOF, but TurboSHAKE128 is not fast enough in software. I threw > together some benchmarks for B3: > > https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 > > The results were interesting. Compared to Turbo, B3 is 30% faster, as > expected. Compared to the baseline (mix of Turbo and AES), B3 is 2-3x > slower for the client operation, as expected; but the server was slightly > faster, which frankly is a bit of a mystery. We'll need to dig into the > code more to be certain, as there may be some obvious inefficiencies on the > client side. But preliminarily, I would say B3 is probably too slow in > software for this application. > > Chris P. > > > > > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org >
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Fwd: Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Chris Barber
- [CFRG] Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Eric Rescorla
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Benson Muite
- [CFRG] Re: BLAKE3 I-D Eric Rescorla
- [CFRG] Re: BLAKE3 I-D Benson Muite
- [CFRG] Re: BLAKE3 I-D Phillip Hallam-Baker
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Benson Muite