Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 20 February 2020 13:27 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DBAB12011E for <cfrg@ietfa.amsl.com>; Thu, 20 Feb 2020 05:27:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65-hiiiaiJe2 for <cfrg@ietfa.amsl.com>; Thu, 20 Feb 2020 05:27:05 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C6571200F9 for <cfrg@irtf.org>; Thu, 20 Feb 2020 05:27:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 916FDBE39; Thu, 20 Feb 2020 13:27:01 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uVJ2bDzNIOpc; Thu, 20 Feb 2020 13:26:56 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C239CBE20; Thu, 20 Feb 2020 13:26:55 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1582205215; bh=Ku39UO4pLoNj0lrudL5uexEYmWE/4bETYd/trm9Clkk=; h=Subject:To:References:From:Date:In-Reply-To:From; b=lg1IdDmxgQ/AIW5QM2poH7ly8IOfs2gnGcG6URqSuRpCiwxb+SNcUO2VG9UkHodCX RpCcUPpt84cKXPDXOUeClhkOY+4QrOmAbik8a72JjWb6XMDX5x5Y/u7uOgUAyEhwWH C/Bw3DWt7c5fXQ4+CiblevxJ2mVX2GKJk3+Bgdjo=
To: Benoît Viguier <b.viguier@cs.ru.nl>, cfrg@irtf.org
References: <DF952AED-7578-47B8-B42F-F6A18A927C31@isode.com> <f229605c-914a-21cf-5217-6c314b3323a7@cs.tcd.ie> <d3e393fd-16b7-9b74-56ce-97e2f8032709@cs.ru.nl> <ab214d52-3405-4aeb-89b4-006a743fbad3@cs.tcd.ie> <993cfbc3-9c36-028b-91f4-166f60f3e0b1@cs.ru.nl>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <4f33c443-e5f3-b566-55e0-8741ddd17c3b@cs.tcd.ie>
Date: Thu, 20 Feb 2020 13:26:54 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <993cfbc3-9c36-028b-91f4-166f60f3e0b1@cs.ru.nl>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="JjUWBVcJAhuVbjuvRepjcmx0Di11pzMP8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tfuN_mL-PTvHQQQGHK5H4RG3QCU>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 13:27:09 -0000
Hiya, On 20/02/2020 11:37, Benoît Viguier wrote: > Hi Stephen, > > To answer your question: > > Yep, I had a quick look and didn't find what I thought > I was remembering;-) It may be that what I was thinking > about was HKDF (RFC 5869), so let me ask it that way: > is there a clear benefit in using k12 instead of using > HKDF to get the output length wanted? If there is, and > it's possible to state that in a short paragraph, that > might be a useful addition. (While HKDF doesn't have > arbitrary output length, it can produce long enough > outputs for many uses I guess.) > > ------------------------------------------------------------------------- > > K12 has the merit of being a simpler construction and can be used in > place of HKDF. > > In the scope of IoT or embedded devices, another advantage of K12 when > its input contains a key is that it is easier to protect against DPA > than SHA-1 or SHA-2. Fair enough. Doesn't seem like a compelling addition to the document in the end, but happy to leave it to you and others to figure if adding that is useful or not. Cheers, S. PS: Just to be clear, the discussion has moved me from an "unsure" state to where I think this is ok to publish in an RFC. > > Kind Regards > > On 2/18/20 4:18 PM, Stephen Farrell wrote: >> Hiya, >> >> Coupla follow ups below... >> >> On 18/02/2020 14:45, Benoît Viguier wrote: >>> Dear Stephen, >>> >>> Thank you for your comments on our draft! >>> >>> Please find below some answers and comments. >>> >>> On 2/16/20 3:53 PM, Stephen Farrell wrote: >>>> Hiya, >>>> >>>> On 16/02/2020 11:16, Alexey Melnikov wrote: >>>>> Dear CFRG participants, >>>>> >>>>> This message is starting 2 weeks RGLC on >>>>> draft-irtf-cfrg-kangarootwelve-01 ("KangarooTwelve"), that will end >>>>> on March 1st 2020. If you've read the document and think that it is >>>>> ready (or not ready) for publication as an RFC, please send a message >>>>> in reply to this email or directly to CFRG chairs >>>>> (cfrg-chairs@ietf.org). If you have detailed comments, these would >>>>> also be very helpful at this point. >>>> I had my 1st read of this and think it needs a bit of >>>> work, but am overall unclear if it ought be published >>>> now. (I also looked back at the list archive messages >>>> referring to k12.) >>>> >>>> I don't think CFRG ought be publishing very novel >>>> algorithm RFCs and am unclear how much study k12 has >>>> gotten outside the author team. The main reference >>>> given [1] has pointers to lots of work with titles that >>>> mention reduced-round keccak but it's unclear (to me, >>>> not having read 'em;-) how relevant those are to k12. >>> Actually, all cryptanalysis of Keccak/SHA-3 is relevant to K12. >>> Cryptanalysis resources are scarce, we chose as an explicit design goal >>> to make K12 rely on cryptanalysis of Keccak/SHA-3. >>> >>> To be more precise, K12 is made of two layers: >>> >>> 1) The inner function F. This layer relies on cryptanalysis. K12's F >>> function is exactly Keccak[r=1344, c=256] (as in SHAKE128) reduced to 12 >>> rounds (no tweaks!). Hence, any reduced-round cryptanalysis on Keccak is >>> also a reduced round cryptanalysis of K12's F (provided the number of >>> rounds attacked is not higher than 12 of course). >>> >>> 2) The tree hashing over F. This layer is a mode on top of F that does >>> not introduce any vulnerability thanks to the use of Sakura coding >>> proven secure in the paper [Bertoni et al., ACNS 2014]. >>> >>> This reasoning is detailed and formalized in the paper [Bertoni et al., >>> ACNS 2018], which is peer-reviewed. >> Thanks. It sounds like referring to that section >> of that paper would help so. (Your explanation there >> helped me fwiw.) >> >>>> [1] is also used as [KECCAK_CRYPTANALYSIS] in the draft >>>> and is where the authors are pointing us to find >>>> security analysis of k12. I don't think an author- >>>> maintained web page like that is really good enough >>>> as the key reference for an RFC like this. >>> Good point indeed! >>> >>> One option would be that we put all the references in the RFC. We are >>> not sure this is the right place for it, as we see an RFC more as >>> implementation guide rather than an analysis paper. For example: >>> https://tools.ietf.org/html/rfc7748 does not mention anything with >>> respect to the security of X25519 which is detailed in section 3 of >>> https://www.iacr.org/cryptodb/archive/2006/PKC/3351/3351.pdf. >>> Nevertheless, we are open to this option. >>> >>> Another option would be to refer to [K12, Section 5]. In that section >>> attacks with the highest number of rounds are discussed and >>> corresponding paper are referred to. >> Yep, that sounds good to me. >> >>> However with the possible >>> appearance of new cryptanalysis results, this section would become outdated. >> Just to be clear - including the URL as an additional >> reference as well seems like a good idea. It's only >> depending on that as the main source that seems a bit >> iffy. >> >>>> I totally get why the authors would find that >>>> easier/better, but that won't be true for a reader in >>>> 20 years time, so better to put in the precise >>>> references now. That should also clarify the extent to >>>> which those are about k12 (as defined here) and not >>>> about something else. >>> We agree with this, however Keccak cryptanalysis directly applies to K12. >>>> I think the references really need fixing before this >>>> ought be published. I'm not sure where the right line >>>> ought be drawn in terms of maturity of an algorithm >>>> before CFRG blesses it with an RFC. <4 years does seem >>>> short, even if this is strongly based on keccak. (Hence >>>> me being unsure overall.) >>> For us the maturity amounts to more than 4 years. Being SHA-3, Keccak is >>> a high-profile cryptanalysis target. As we did not tweak the round >>> function, K12 relies on sustained cryptanalysis since 2008. >> Ack. If nobody's gotten near breaking 12 rounds and >> since you didn't tweak it, that does sound convincing >> to me. Thanks. >> >>>> Separately, the draft could benefit from some guidance >>>> as to when this is thought to be useful - presumably >>>> that's when one wants a hash output that's >512 bits. >>>> IIRC, there are other RFCs (forget numbers, sorry), >>>> that describe how to get such outputs using standard >>>> hash functions. If there are such RFCs, it'd be good >>>> to reference those. Either way saying why and when this >>>> is preferable to use of standard hash functions would >>>> be good. >>> The standard hash functions (SHA-1 and SHA-2) are subject to length >>> extension attacks. >> Yep, I had a quick look and didn't find what I thought >> I was remembering;-) It may be that what I was thinking >> about was HKDF (RFC 5869), so let me ask it that way: >> is there a clear benefit in using k12 instead of using >> HKDF to get the output length wanted? If there is, and >> it's possible to state that in a short paragraph, that >> might be a useful addition. (While HKDF doesn't have >> arbitrary output length, it can produce long enough >> outputs for many uses I guess.) >> >> Cheers, >> S. >> >> >>> And in all cases, K12 will be faster than SHA-3. If >>> that makes it clearer, we could add a short guidance as to when the user >>> can benefit the most from K12. We could simply reuse the arguments from >>> these slides: https://benoit.viguier.nl/files/K12atMontreal.pdf >>>> Other than the above, the draft seems clear (though >>>> I didn't try implement) and many thanks for not >>>> defining the usual pile of pointless variants/options:-) >>> Thanks, yes, that was another design goal for K12. >>>
- [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve-01 Alexey Melnikov
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Benoît Viguier
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Dan Brown
- Re: [Cfrg] RGLC on draft-irtf-cfrg-kangarootwelve… Gilles Van Assche