[CFRG] Re: BLAKE3 I-D
Christopher Patton <cpatton@cloudflare.com> Thu, 15 August 2024 21:06 UTC
Return-Path: <cpatton@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B80B3C151079 for <cfrg@ietfa.amsl.com>; Thu, 15 Aug 2024 14:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9r7Es2wC_si for <cfrg@ietfa.amsl.com>; Thu, 15 Aug 2024 14:06:19 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0671DC14F749 for <cfrg@ietf.org>; Thu, 15 Aug 2024 14:06:18 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id d75a77b69052e-44ff6dd158cso8158751cf.3 for <cfrg@ietf.org>; Thu, 15 Aug 2024 14:06:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1723755978; x=1724360778; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ncsoNX4yF2QnFgTc47AlpFcTCQj+fMjrGIxCetba4mE=; b=C2K2snFhSOPMcRjSVmE83LqRhwqzxFMv/lrrGipFXoFhR3JTGfRSGtPxCP73zaUIll dM3I6OQquY2oaPvaxn1H0BcS1OXE46rHGjN00klmNUIPX69m3aIFIMWEOqYRphW92v+q /rDGS7+L4FMJpgNy+YYIXFhBzQnnsIGWLv1X03DA2i1jrAq1EqUU5zHPGxawqFuVgCie 5ldYhrcgeCXmQCjzz5OKK72GuqJKZxM5lB3UUEVqXFzalzQt3dpRgbSFdnU3WGl1Fq+y Z7rzSnJ9nKv7pv5UdRWqKpjJthS29UoXVdcj/0285BEaYa5O0x/rgn1wXV+gmUYy2gdp s4yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723755978; x=1724360778; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ncsoNX4yF2QnFgTc47AlpFcTCQj+fMjrGIxCetba4mE=; b=YUa04TlCO5/vFbRF3ulTZZ3NMV0DCqCJAHm8VWoyLHTh5cUySK/jUcTqKErQ2JVcqr mtAX1ORQxUiR8il6quR67AtyPJWp9pMcK61SVWVoqn9tOlhOS0oiGW0vQMCfjUWfmZ3u PQG0cA/cje7M711Xzhs/sSK2fBiM2Dc1dIIqfo7tah5o6LxqMCmS6tlT0+ab+G5qLyTE ZkkYtl/VbvFk5B2YwPVkRwJFkbH/pousYYt4060iW+l76Kz7LybNEBQT2pM/hYSL39QE aQbvQjYGjWe+pK0RyCbWVyMYD71OtsILYq0DWCRae7rZfe1TOfqBHek07yVX2HaZWREv 8e1w==
X-Forwarded-Encrypted: i=1; AJvYcCXSRGWhHa+sSv8tPbD7+mMCV0Mhoe/Fhv0YhAgO3x3LKqmIG8q3I6M6WeTzUocPeonuo/5yXToUOd3fGRDl
X-Gm-Message-State: AOJu0YxjFRDpyy+xSb6KHTIrPLGYVjuFpFjM51/EEgDJhutI65MVU8jw snhuyNj0czp8k41Y3yWP1jcDKaLuOgsdHSiCyfumw7wBLDrC3IePsdBnhD+LfZSV9VMKehuan7o FT/ZTI+XAuIe4w5uXKJj7/QNCN3xSOFdpGrItJA==
X-Google-Smtp-Source: AGHT+IERIuaF3A+jmWmcLGObRk5Qt99qVTNwzZPEgxyYMAiiN3uVGR1ZzIxOCYi5wIRZJqqXDeuM+9c7MjqWWjNC1xw=
X-Received: by 2002:a05:622a:5a90:b0:451:d63a:d2b5 with SMTP id d75a77b69052e-45374258d24mr11774261cf.23.1723755977839; Thu, 15 Aug 2024 14:06:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAGiyFdfKZ1qsPR62kb8M_EqfGOfuU4nkEY4JjLCwBb_JOZdxOA@mail.gmail.com> <CAMr0u6kpcRvsifS3GRX0LNCD1LODo_pePZo51K7okfQtatEgNA@mail.gmail.com> <CAGiyFdfAFT4HzxNLB4QKdGs8F8QD-y5LmMpnH=C+O8+2XF8eBQ@mail.gmail.com> <CAG2Zi20x1WvGH3FdhOW0HjpDfJhgfnSJUvXsoqywgn4vy_1eGA@mail.gmail.com> <CA+6di1kw4rPcseBUfAc=kTLbQSXGyph9wHZV-fn9CEg5KjOkgA@mail.gmail.com> <CAG2Zi21v9pDu_EOB1aOyFwsJ+ztoZ5tnk7Dimhap7xGMryJttQ@mail.gmail.com> <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com>
In-Reply-To: <CAGiyFdeUaYaKfDwe1xyRQmB1svW3OBpCRXKvOnA-hcyi5zec-w@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Thu, 15 Aug 2024 14:06:07 -0700
Message-ID: <CAG2Zi2277O_aJhY1v5N6vGFK1_TPFHQ5w89RJgmzfbSBmGhmcw@mail.gmail.com>
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000bd32f8061fbf367b"
Message-ID-Hash: 7YZELVLLABLHBLNVYQWZNLPZKWY5XJ26
X-Message-ID-Hash: 7YZELVLLABLHBLNVYQWZNLPZKWY5XJ26
X-MailFrom: cpatton@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jack O'Connor <oconnor663@gmail.com>, cfrg@ietf.org, cfrg-chairs@ietf.org, Zooko O'Whielacronx <zookog@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: BLAKE3 I-D
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/w1V0pMLq-VBHwZEsBwAOw0LaCzg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Hi all, Before adopting BLAKE3, I think it would be useful to see how much of a difference it would make in our applications. I would suggest looking through RFCs published by CFRG and assess how performance would change if they could have used BLAKE3. Off the top of my head: - RFC 9180 - HPKE (replace HKDF?) - draft-irtf-cfrg-opaque - OPAQUE - RFC 9380 - hashing to elliptic curves I'll add my own data point: draft-irtf-cfrg-vdaf. This draft specifies an incremental distributed point function (IDPF), a type of function secret sharing used in some MPC protocols. Most of the computation is spent on XOF evaluation. For performance reasons, we try to use AES wherever we can in order to get hardware support. We end up with a mix of TurboSHAKE128 and AES, which is not ideal. It would be much nicer if we could afford to use a dedicated XOF, but TurboSHAKE128 is not fast enough in software. I threw together some benchmarks for B3: https://github.com/cjpatton/libprio-rs/compare/main...cjpatton:libprio-rs:exp/blake3-for-idpf?expand=1 The results were interesting. Compared to Turbo, B3 is 30% faster, as expected. Compared to the baseline (mix of Turbo and AES), B3 is 2-3x slower for the client operation, as expected; but the server was slightly faster, which frankly is a bit of a mystery. We'll need to dig into the code more to be certain, as there may be some obvious inefficiencies on the client side. But preliminarily, I would say B3 is probably too slow in software for this application. Chris P.
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Fwd: Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Christopher Patton
- [CFRG] Re: BLAKE3 I-D Chris Barber
- [CFRG] Re: BLAKE3 I-D Jack O'Connor
- [CFRG] Re: BLAKE3 I-D Eric Rescorla
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Benson Muite
- [CFRG] Re: BLAKE3 I-D Eric Rescorla
- [CFRG] Re: BLAKE3 I-D Benson Muite
- [CFRG] Re: BLAKE3 I-D Phillip Hallam-Baker
- [CFRG] Re: BLAKE3 I-D Jean-Philippe Aumasson
- [CFRG] Re: BLAKE3 I-D Benson Muite