[CFRG] Fwd: Re: BLAKE3 I-D

Jack O'Connor <oconnor663@gmail.com> Thu, 15 August 2024 23:37 UTC

Return-Path: <oconnor663@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93606C151077 for <cfrg@ietfa.amsl.com>; Thu, 15 Aug 2024 16:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.857
X-Spam-Level:
X-Spam-Status: No, score=-1.857 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOkTu94LLKpi for <cfrg@ietfa.amsl.com>; Thu, 15 Aug 2024 16:37:44 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDD37C15106A for <cfrg@ietf.org>; Thu, 15 Aug 2024 16:37:44 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id 46e09a7af769-7093abb12edso1038465a34.3 for <cfrg@ietf.org>; Thu, 15 Aug 2024 16:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723765063; x=1724369863; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=usZnO6VM5dLjzjkWCKTjR3Mu/3U2ohTrh7OoMynI2rg=; b=Nj51nzt1mFRFIG3CUr6wo4oYMP8fXeBz4N/PP5GFD/jYHhKweweEhJPjiSGZMteY7W taYRIgOZ7jmy+N5UY6YgmrFh/bk2GAGswFIGdUI70GT1TT4+7T5urBz4d2qyDiUGEkhg GlMV6tQSOJD5TfKo3w3FDjoi+Aznk/S+xs2VgL9rdun+GcFRk6dNZmtBd9XDunY/J5S1 MpcxASdVxAcwn0G/GGy4AcWL3hK+AL71rl1GyZ8ube68RxkwhilSRhz4zVRo+MMfr5+1 WBU0fDbhwlUMnxgHYnA1pebQWTfbjbqpsl3DLJqGMIcljjZZZMrr843b8LcPZNKL6XyU 9A+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723765063; x=1724369863; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=usZnO6VM5dLjzjkWCKTjR3Mu/3U2ohTrh7OoMynI2rg=; b=AUjb5lpetdjsp6R9YX2Y0Tu2Uty9rUA5kjTy6G/Kg3bqYWPXkPJymHwAXQPGgrcoUx vxbP5cAoqvpIqS5OxKqvB34YZ/R2PC9wg5WLRkP+xYi+pBGMnohX7WqYCUbSXLAoM9Tl x5k++gNPfalTMbnrbBSOtf1ZI3ZnfH1yc3gD24gxtUN4XeminExMewp/ydN6X5QQ4pp8 QH68hUpX9jw2R7WvtnhhQeOVTHsEAxL1p05ZozLuEuinECjWmGuK0K/bSIhg3YrsP2gm 4vk5oZR4eXXDVomx2yyShIfy2INZnr8rnrNPZplQnB1B/MUrLUk5Utgx4PUSir1jEprD f6Mg==
X-Gm-Message-State: AOJu0Yz3+owcE8fdp+UskkbcmZgUIW+1eoX2EMzT/KLGfDwUdqGYZR1u tfDC+J7a23rnauf7nm3pr6zcDpWb9D8VDGumYBPsg0MPvJw+LlCQOB5UqBCmEWEOwRQGO1LL3v4 7ePbwXHGlowduQMyNhTrevzc8wmAdVQ==
X-Google-Smtp-Source: AGHT+IFvMkiBoBEefzjegCB34fbORq4W/+dWoTapedNcmJKgQLYgSzxvrL7b37HXXS6z2rasrBAf0lpA/9e7o4gPeSc=
X-Received: by 2002:a05:6358:419d:b0:1b1:a8cd:5568 with SMTP id e5c5f4694b2df-1b39329f99fmr182490755d.24.1723765063450; Thu, 15 Aug 2024 16:37:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com> <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com> <CA+6di1nvyi53OUquH-JBGm_nk34f+R+UTLPB81ct9mSbSmOUeQ@mail.gmail.com>
In-Reply-To: <CA+6di1nvyi53OUquH-JBGm_nk34f+R+UTLPB81ct9mSbSmOUeQ@mail.gmail.com>
From: Jack O'Connor <oconnor663@gmail.com>
Date: Thu, 15 Aug 2024 16:37:17 -0700
Message-ID: <CA+6di1=_bMwnSv4sG13OL+9yog3oLO_KDfcOEv3=LFvEP7iA9A@mail.gmail.com>
To: cfrg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000488811061fc15482"
Message-ID-Hash: 4PUBU7YYFKITBSPIJKCUBEWT6CJDP6YI
X-Message-ID-Hash: 4PUBU7YYFKITBSPIJKCUBEWT6CJDP6YI
X-MailFrom: oconnor663@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Fwd: Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rUNRBYoqLjHbDAVnwL45yLW5D4o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

[Resending now that hopefully I'm properly subscribed to the list...]

I'm slightly embarrassed to report that our XOF implementation is slower
than it should be. It should benefit from all the same SIMD optimizations
as the input side, but our current assembly implementations only
parallelize input, and the XOF uses a slower codepath with less
parallelism. Concretely on a CPU with AVX-512 support, for outputs longer
than 1 KiB or so, it should be ~5x faster than it is. (Not as fast as
hardware-accelerated AES-CTR though.)

If you do have an AVX-512 Linux machine, and you want to benchmark the
properly optimized XOF, it's currently on this branch:
https://github.com/BLAKE3-team/BLAKE3/tree/xof_integration_rebase. I've
been dragging my feet on shipping that, but I should go ahead and push it
out, even though it doesn't cover all our target platforms.

On Thu, Aug 15, 2024 at 2:06 PM Christopher Patton <cpatton@cloudflare.com>
wrote:

> Hi all,
>
> Before adopting BLAKE3, I think it would be useful to see how much of a
> difference it would make in our applications. I would suggest looking
> through RFCs published by CFRG and assess how performance would change if
> they could have used BLAKE3. Off the top of my head:
> - RFC 9180 - HPKE (replace HKDF?)
> - draft-irtf-cfrg-opaque - OPAQUE
> - RFC 9380 - hashing to elliptic curves
>
> I'll add my own data point: draft-irtf-cfrg-vdaf. This draft specifies an
> incremental distributed point function (IDPF), a type of function secret
> sharing used in some MPC protocols. Most of the computation is spent on XOF
> evaluation. For performance reasons, we try to use AES wherever we can in
> order to get hardware support. We end up with a mix of TurboSHAKE128 and
> AES, which is not ideal. It would be much nicer if we could afford to use a
> dedicated XOF, but TurboSHAKE128 is not fast enough in software. I threw
> together some benchmarks for B3:
>
> https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1
>
> The results were interesting. Compared to Turbo, B3 is 30% faster, as
> expected. Compared to the baseline (mix of Turbo and AES), B3 is 2-3x
> slower for the client operation, as expected; but the server was slightly
> faster, which frankly is a bit of a mystery. We'll need to dig into the
> code more to be certain, as there may be some obvious inefficiencies on the
> client side. But preliminarily, I would say B3 is probably too slow in
> software for this application.
>
> Chris P.
>
>
>
>
>