[CFRG] Re: BLAKE3 I-D

Eric Rescorla <ekr@rtfm.com> Sat, 24 August 2024 17:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96AFC14F6A6 for <cfrg@ietfa.amsl.com>; Sat, 24 Aug 2024 10:29:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RxIfA26O_5JM for <cfrg@ietfa.amsl.com>; Sat, 24 Aug 2024 10:29:44 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69F5BC14F60D for <cfrg@irtf.org>; Sat, 24 Aug 2024 10:29:44 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-6c130ffa0adso31227537b3.3 for <cfrg@irtf.org>; Sat, 24 Aug 2024 10:29:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1724520583; x=1725125383; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qL8vLWbaWl7Vv4cLtslTCOXURr5DopApiPJqP1dNDvE=; b=PnEyEjHtYPnYPfhwTAIAjuc1CBKdeF3ONEHuS79nSWXyfpRJErqmLrca+397ooMp4H RJZ1GdTVVVEVe0qsTbhld85xVV8QjMCioQ/GOm4Ta0X93mYQ4tLaWgEATnoxk0GiJGfK /5NZVb8rkCmbxYmGgcv1EUckj2NsPjuh66GYfLckSJCov0qZs3k9S78zQhn3xqa5XPGC b1AlZa5mJwsoQn9mpi8sRsFdIZzdFAENtD3DwpnhsoQkZSZe5rAknT06h7O9k6igYBaP /kB4mvR/btQo6E6mC/JaZ8jfyFs6KinSwLZQfOm01/7sibtNPIU5+beSIg9y6jVMDCyM BREA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724520583; x=1725125383; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qL8vLWbaWl7Vv4cLtslTCOXURr5DopApiPJqP1dNDvE=; b=eE1/1jryKbgBoRbeEou/9ON/63bzq56TzuvjnRMgaX56XqRwVxOZZMtytrH5BN3XJ6 cJfQBRteTZf535BEdI4tojKhkWF1fdb5QBdVN6EOsKvji+UrmVdyzSAFBq4s48nY0xXi +6T5NK3n/Xk/baMvescEjsIDkh6JG7ykPpfwk1eQBMtyI8XWtIYG6B75ZA8K2/i4Rlgj ZB2m2Vq361IFVORugJ7LR56Lcl5ETTf4n+fZyszvRcMDIKDxN/2hGvuiVVsjRrLhNaSw +bc3ne9k3xPB3g1k8AQ9DUkp03ySe3jSj0iHnDVptw5gcXNasa6js68WI0R4noAwbIrv pftA==
X-Gm-Message-State: AOJu0YxDv9Rou3MKeJXgDJ1XcyKs+PDhll+780KDzAzo7F6pFv7A2qdk 0on6ah1YEGZbVl38rbrOPCYFfma8u7sU82Z71lPDKmrmghDwrHTUWXTO6keiUhlJEyF6BDO/qt1 U929kb3psJo/Qon/jkCpLogB3R9onlZSS5MuXIsNResVR9sWK
X-Google-Smtp-Source: AGHT+IEpbHm95poy7zClrT5NytFUF35NQB5N/riXLazerc20uRx870ruUGDxC+WRtIeHwWtdDYacjcfcqm1K5JJc93E=
X-Received: by 2002:a05:690c:39a:b0:632:12b:8315 with SMTP id 00721157ae682-6c625d31cc6mr70685887b3.22.1724520583529; Sat, 24 Aug 2024 10:29:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com> <CAFzKZmzfRyYJ4O_9t7fWTnUvZ5rRvGmKN1ETs0+1YrY5Men-fQ@mail.gmail.com> <CABcZeBN4jxHB6YOUc5ANTZjc0jxd5aSZ-G_A+qe9-ze0YT3+UA@mail.gmail.com> <ec9e57f6-9daa-2edf-71bd-0b548c403182@emailplus.org>
In-Reply-To: <ec9e57f6-9daa-2edf-71bd-0b548c403182@emailplus.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 24 Aug 2024 10:29:07 -0700
Message-ID: <CABcZeBPKWu35akwrBpK2XBTmjxZ7x8O12zDt4LmgV3wrYgCpyA@mail.gmail.com>
To: Benson Muite <benson_muite@emailplus.org>
Content-Type: multipart/alternative; boundary="000000000000ca23780620713c83"
Message-ID-Hash: C55CSZE6PBVGRPLPEOUEYE55TFRM7G6S
X-Message-ID-Hash: C55CSZE6PBVGRPLPEOUEYE55TFRM7G6S
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@irtf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/qsGmJnJHQuVsjD03gtncke_qDL4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Fri, Aug 23, 2024 at 11:56 PM Benson Muite <benson_muite@emailplus.org>
wrote:

> On 22/08/2024 05.20, Eric Rescorla wrote:
> > I don't actually think the question of how much an algorithm is used in
> > the wild is that relevant to the question of adoption. The more relevant
> > question is whether there are IETF groups who want to use a given
> > algorithm, because that is where CFRG should focus its limited resources.
> >
>
> RFC 7693 [1] documents Blake 2.  Blake 3 is an improved version of this,
> so is worth reviewing. Blake 2 was done through the independent
> submission stream [2], rather than through a research or working group.
>
> 1) https://datatracker.ietf.org/doc/html/rfc7693
> 2) https://www.rfc-editor.org/about/independent/


I don't think this follows at all. There are lots of things in the
Independent Stream
I wouldn't want to see CFRG spend effort on, for instance the GOST
algorithms.

-Ekr


>
> > -Ekr
> >
> >
> > On Wed, Aug 21, 2024 at 9:51 AM Chris Barber <cbarbernash@gmail.com
> > <mailto:cbarbernash@gmail.com>> wrote:
> >
> >     Dear Chris,
> >
> >     You are comparing specific implementations on a particular CPU, not
> >     the algorithms themselves. The "sha3" library you are using is not
> >     optimized and may not accurately reflect the performance of
> >     TurboSHAKE compared to, for example, XKCP. In software, the
> >     performance of BLAKE3 and TurboSHAKE/KT12 is theoretically very
> >     close but highly dependent on the implementation in practice.
> >
> >     Since this discussion is about adoption, I believe it would be more
> >     relevant to compare the algorithms themselves. What properties does
> >     BLAKE3 have that TurboSHAKE doesn't? "it's already used a lot in the
> >     wild" can be sufficient to justify a specification.
> >
> >
> >     On Thu, Aug 15, 2024 at 11:07 PM Christopher Patton
> >     <cpatton=40cloudflare.com@dmarc.ietf.org
> >     <mailto:40cloudflare.com@dmarc.ietf.org>> wrote:
> >
> >         Hi all,
> >
> >         Before adopting BLAKE3, I think it would be useful to see how
> >         much of a difference it would make in our applications. I would
> >         suggest looking through RFCs published by CFRG and assess how
> >         performance would change if they could have used BLAKE3. Off the
> >         top of my head:
> >         - RFC 9180 - HPKE (replace HKDF?)
> >         - draft-irtf-cfrg-opaque - OPAQUE
> >         - RFC 9380 - hashing to elliptic curves
> >
> >         I'll add my own data point: draft-irtf-cfrg-vdaf. This draft
> >         specifies an incremental distributed point function (IDPF), a
> >         type of function secret sharing used in some MPC protocols. Most
> >         of the computation is spent on XOF evaluation. For performance
> >         reasons, we try to use AES wherever we can in order to get
> >         hardware support. We end up with a mix of TurboSHAKE128 and AES,
> >         which is not ideal. It would be much nicer if we could afford to
> >         use a dedicated XOF, but TurboSHAKE128 is not fast enough in
> >         software. I threw together some benchmarks for B3:
> >
> https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1
> <
> https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1
> >
> >
> >         The results were interesting. Compared to Turbo, B3 is 30%
> >         faster, as expected. Compared to the baseline (mix of Turbo and
> >         AES), B3 is 2-3x slower for the client operation, as expected;
> >         but the server was slightly faster, which frankly is a bit of a
> >         mystery. We'll need to dig into the code more to be certain, as
> >         there may be some obvious inefficiencies on the client side. But
> >         preliminarily, I would say B3 is probably too slow in software
> >         for this application.
> >
> >         Chris P.
> >
> >
> >
> >
> >         _______________________________________________
> >         CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
> >         To unsubscribe send an email to cfrg-leave@irtf.org
> >         <mailto:cfrg-leave@irtf.org>
> >
> >     _______________________________________________
> >     CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
> >     To unsubscribe send an email to cfrg-leave@irtf.org
> >     <mailto:cfrg-leave@irtf.org>
> >
> >
> > _______________________________________________
> > CFRG mailing list -- cfrg@irtf.org
> > To unsubscribe send an email to cfrg-leave@irtf.org
>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org
>