IETF Logo Mail Archive

Re: [CFRG] Choice of XOF for draft-irtf-cfrg-vdaf

Christopher Patton <cpatton@cloudflare.com> Tue, 10 October 2023 16:32 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E301FC151068 for <cfrg@ietfa.amsl.com>; Tue, 10 Oct 2023 09:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXJLy8mqgbMM for <cfrg@ietfa.amsl.com>; Tue, 10 Oct 2023 09:32:47 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5357BC14F721 for <cfrg@irtf.org>; Tue, 10 Oct 2023 09:32:47 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2c15463ddd4so67153701fa.3 for <cfrg@irtf.org>; Tue, 10 Oct 2023 09:32:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1696955565; x=1697560365; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7AOR1PITQp4eYzt/2mY9AXFRmv9wU1yNgfLdnLIG1rY=; b=F8bQePqIwMH3bWXqxDdrmaNQg4gFeVZHeQKRULKksB80B4gCvpzSmdjt6FVkMSK2V2 hzzYtQ4FgUBWHT5nymG7tp201h2wvuGnvbxgaK186I8k3Jd1BMeCi+yd4BJd8AQkmXxw 9W+/cIYCIV1S6Ukku9SJdHgqYzsRKt/C06ZbAc28B/QYGwYzKGF6fVju1VFik7dsfK85 3F26kjJqNJI8u4gtpyADzFmuaLX0l/3c1RHzJfxITuS8lHT1oDYWvb9TGsmys1DWlaKG fvT8d+BHPCQC8zkWs6CWV78x+1mVcrhsuXB1DxxsBZIOk60jGvL+fzHMkArvdpXOelfw fdgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696955565; x=1697560365; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7AOR1PITQp4eYzt/2mY9AXFRmv9wU1yNgfLdnLIG1rY=; b=wLa96+b+ra+JJduIn/qO7lZMDzsICqs7IT7733Hhlt9MDhSQ9Ig12ISEwFJLjHtFX/ b08VIIP/s3/xk4DFo+sWyEMIapIpSwVVaISZV5FdqdZILybMIHj8tc7YUozJoZ1y1EXt iyNiGhKG85JVq0EKlZjCmY8lYSQkPopTPJdfT7R6k+42iwJtY0kJREXySSszmsNQrME3 NSbL1/RpW8LaKdjvq7turBNXpMfHqoMjfuyhG+4rUjJeINRZb+ksiZRrPmI2ntO7F/Wo 5bsW146kUyzNXZQQsEMPwVZoJt1ANUm+18+9UqFkGU5tkvAvW/gFWVAMhpgPd9pT/ihO vnFw==
X-Gm-Message-State: AOJu0YwejGz1X1xUQeccAz/eXeX+PHQexu3OUekGLRhUfaTIr0mKIZKB if0zbEdFkyfBqBYVQ3rfjzVsY38XswvqM/7iRJMmld3SLUm5XI7Yqzw=
X-Google-Smtp-Source: AGHT+IHSoCNLtqABigdhx0DQuLc/6i6Fj81ObzToTFRZB4UupM+O+4vcpbgyymyKF0nvToN8rzmxKMYtoDotiY2rSH4=
X-Received: by 2002:a2e:7e04:0:b0:2bd:10b7:4610 with SMTP id z4-20020a2e7e04000000b002bd10b74610mr15209919ljc.25.1696955565237; Tue, 10 Oct 2023 09:32:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi21761Q5kRytS6+uFvL5-YN3imiC3h6L-BGkpxkKUwCrqw@mail.gmail.com> <CAGsvMr5A6j+b0emJys2kEOrZNduF3+fzOeQsab8XsF_vimLonw@mail.gmail.com>
In-Reply-To: <CAGsvMr5A6j+b0emJys2kEOrZNduF3+fzOeQsab8XsF_vimLonw@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Tue, 10 Oct 2023 09:32:34 -0700
Message-ID: <CAG2Zi23tSoFV71SO8NZdtYDJ_d6CMzZ6Kj2VMDUpkeqwPe=7Dw@mail.gmail.com>
To: David Cook <dcook=40divviup.org@dmarc.ietf.org>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000aacba006075f4129"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zzpG6CWQHG2hvQuzmfmkZcZ2AzM>
Subject: Re: [CFRG] Choice of XOF for draft-irtf-cfrg-vdaf
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2023 16:32:52 -0000

Thanks for the extra data point, David! From a perf perspective it seems
like TurboSHAKE128 is the right way to go.

There also doesn't seem to be demand for keeping SHAKE128. If there are no
objections, we'll replace SHAKE128 with TurboSHAKE128 in the next VDAF
draft.

Finally, there seems to be broad support for leaving room for cryptographic
agility in CFRG specs in general, though I didn't hear anyone request
additional algorithms for VDAF in particular. The spec is written in such a
way that adding support for a new XOF is as easy as defining a codepoint.
If someone wants support for SHAKE128, or maybe something built from
SHA256, feel free to send a PR.

Best,
Chris P.

On Fri, Oct 6, 2023 at 12:03 PM David Cook <dcook=
40divviup.org@dmarc.ietf.org> wrote:

> I re-ran benchmarks of the Prio3SumVec VDAF on an Intel processor (Chris's
> benchmarking results were on ARM), and in this setting, using SHA-2 via a
> tweaked expand_message_xmd came out on top, a hair faster than TurboSHAKE.
> These results are from a "11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz"
> CPU with Turbo Boost turned off, using the commit
> https://github.com/divergentdave/libprio-rs/commit/522c10a13098097257a3feb20043eb68ed275784,
> and running "cargo bench --bench speed_tests -- prio3sumvec".
>
> Sharding:
> Measurement length SHAKE128 TurboSHAKE SHA-2 tweaked XMD
> 10 76.709 µs 60.280 µs 59.984 µs
> 30 100.22 µs 80.307 µs 79.026 µs
> 100 202.71 µs 169.21 µs 166.60 µs
> 300 466.39 µs 398.63 µs 308.37 µs
> 1000 1.8078 ms 1.6263 ms 1.4790 ms
>
> Preparation, initial step:
> Measurement length SHAKE128 TurboSHAKE SHA-2 tweaked XMD
> 10 53.616 µs 44.887 µs 44.728 µs
> 30 66.061 µs 55.320 µs 54.771 µs
> 100 104.70 µs 90.823 µs 89.803 µs
> 300 206.79 µs 180.94 µs 175.85 µs
> 1000 610.40 µs 539.43 µs 527.80 µs
>
> Looking at performance alone, replacing SHAKE128 with this mode of SHA-2
> would be an improvement on x86, and a regression on ARM, while TurboSHAKE
> would be an improvement on both architectures (with the Rust libraries this
> implementation is currently using).
>
> --David Cook
>
> On Tue, Sep 26, 2023 at 6:18 PM Christopher Patton <cpatton=
> 40cloudflare.com@dmarc.ietf.org> wrote:
>
>> Hi all,
>>
>> The authors of the VDAF draft need feedback on one of our open design
>> questions, first raised in [1]. To summarize: we're currently using
>> SHAKE128 (SHA-3) as an XOF ("eXtendable Output Function"), but we've heard
>> from potential adopters off-list that they'd prefer not to have to support
>> SHAKE128. We'd like to find an alternative that most people are happy with.
>>
>> The most natural alternative that comes to mind is TurboSHAKE128. It's
>> faster, most people are happy with the security margins, and CFRG is
>> working on it (draft-irtf-cfrg-kangarootwelve).  Our benchmarks for Prio3
>> [2] show that TurboSHAKE128 is as much as 20% faster than SHAKE128. (How
>> much improvement we get depends on the Prio3 type. For very large inputs,
>> the runtime is dominated by finite field arithmetic rather than hashing.)
>>
>> SHA-2 could work as well, in the right mode of operation. Our
>> requirements are similar to RFC 9380 in that we need the XOF to behave like
>> a random oracle [3]. In fact `expand_message_xmd()` from RFC 9380 *almost*
>> fits the bill --- we need to tweak it slightly in order to make it work for
>> our application. (We mainly use the XOF to expand a short seed into a long
>> vector of finite field elements. Depending on the data type, the maximum
>> output length for `expand_message_xmd()` may be too short.) However, this
>> tweaked mode for SHA-256 is up to 60% slower than SHAKE128 [2].
>>
>> In terms of performance, TurboSHAKE is the clear winner. The main concern
>> I've heard about moving to TurboSHAKE is that it would add a dependency on
>> an unfinished draft. On the other hand, adopting TurboSHAKE might help
>> build momentum towards completing that work.The performance for SHA-2 could
>> probably be improved (we haven't evaluated SHA-512 for instance --- perhaps
>> the longer output length will yield savings), but unless we have a very
>> compelling reason to do so, we'd like to avoid specifying a new mode for it
>> (i.e., a tweaked version of `expand_message_xmd()`).
>>
>> It would be useful to hear from potential adopters as well as folks who
>> have some experience with these primitives and may have some insights to
>> share. The ideal outcome here is a single choice that most people are happy
>> to implement. We'd prefer to avoid having to specify multiple alternatives
>> here; this is essentially green-field cryptography, and it would be a shame
>> to take on the baggage of agility before we absolutely need to.
>>
>> Thanks on behalf of the editors,
>> Chris P.
>>
>> [1] https://github.com/cfrg/draft-irtf-cfrg-vdaf/issues/209
>> [2] https://github.com/divviup/libprio-rs/pull/768
>> [3] https://eprint.iacr.org/2023/130
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email