Re: [Crypto-panel] EXTERNAL: Re: Request for review: draft-irtf-cfrg-kangarootwelve-02

Thomas Pornin <thomas.pornin@nccgroup.com> Mon, 21 September 2020 14:17 UTC

Return-Path: <thomas.pornin@nccgroup.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E848C3A0763 for <crypto-panel@ietfa.amsl.com>; Mon, 21 Sep 2020 07:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.554
X-Spam-Level:
X-Spam-Status: No, score=-0.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, LH_URI_DOM_IN_PATH=1.446, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nccgroup.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zzcO2n59h8q for <crypto-panel@ietfa.amsl.com>; Mon, 21 Sep 2020 07:17:51 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2060.outbound.protection.outlook.com [40.107.220.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E7053A0766 for <crypto-panel@irtf.org>; Mon, 21 Sep 2020 07:17:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U83+ZzSnZYFkDj9z8FV1483GY8Vd4YQ7kDqOYPUhfp+P7/D9xq2evMJv1X5umzvYaMI5qAfsLGLb37XD6r66obJRO/Frasu3x4LuEtTiK784PKyblavjqt9P3G38KQpmpqpDKKXaXzRGuCltqMZszbTtcN14+C73bAIVOTRYq6UqhlZO7XOhmXA3HbZI1+6tToImNMqPgnBZNE88XFThBxPHtl8BhNf+rLHx3v3yXv1K8ab6CaipB/CSmjiSyNSnZKkNhQK0Bw1QCz4D4SRF7K6/FrqmEAfrehgJlCPiIKRjt1ClzBeR8mQKhwnTg20vPoJOX/I9Oox908nJB/gJQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9IZBP+RUt35qsA8r/kHgptM+QUkZs85rmSLw5SAdfeE=; b=I78SVUv/vcq6kY/0EWANYCB/56JULj+OIk62g7U3SkE20cymQlO/cGXHn1Y1CrhVL9wJAD+xeK4BQsjQOVEMqBOsDrPdfEH0oHI1b/6x5nUbe64/cBDBmJsPxAB307wqZUi4zYXcoZuizuH/TzH6x+5j8Lq3BXFrOV1PCByM0qVSG5kYQOAdiLYfKiH5octB4yZsi2n9wCPEDXnazWX86NAZuTPMV4LHCoWz++IxWDLtsMBERlQniVGZjbDVy6Lxrz6zp2AUBUHnEq0AM1ZJvS5FtizPDq4aOHzlbzNNGxXfWq4aIBmWYeROnc1fVW1tAxehbHdtinroP/mKmO9uaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nccgroup.com; dmarc=pass action=none header.from=nccgroup.com; dkim=pass header.d=nccgroup.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nccgroup.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9IZBP+RUt35qsA8r/kHgptM+QUkZs85rmSLw5SAdfeE=; b=BViRsHrzNcjX2govpLX3lBYPX0WltWBHP113aIZtC/ZQEKaC9ahAvGtiABbxEgXNruEzmg+za9Qj1t8P3pedqWW7ONmjA6RHCxT6TA8k3M5BJmzJ2PV9grIPxwkt0n2N1nuPhMjxmkjI6Rx68mnMTG6Wd73blqVEgCRM65lGSZ6ehpMIwwj+g9d+PS6rb6TzoY+1/SWqVIfLXtv1EpsvoM6evzXUXjkyu2J8DXgOx0t68+VEJWVw9aIZrrGLqpZA0pyr2zFCtAhZ+CVUGV2tNnZWRq6Tetaag1J5PRKrw9/PHrqMfkiGxYVSeEDmWdX/l3OrRrCP2C8iiPOxzzu3cw==
Received: from MWHPR06MB2333.namprd06.prod.outlook.com (2603:10b6:300:61::19) by MWHPR06MB3007.namprd06.prod.outlook.com (2603:10b6:300:11a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.17; Mon, 21 Sep 2020 14:17:43 +0000
Received: from MWHPR06MB2333.namprd06.prod.outlook.com ([fe80::3474:9133:d3b3:5f40]) by MWHPR06MB2333.namprd06.prod.outlook.com ([fe80::3474:9133:d3b3:5f40%11]) with mapi id 15.20.3391.024; Mon, 21 Sep 2020 14:17:42 +0000
From: Thomas Pornin <thomas.pornin@nccgroup.com>
To: Benoît Viguier <b.viguier@cs.ru.nl>, Alexey Melnikov <alexey.melnikov@isode.com>, "draft-irtf-cfrg-kangarootwelve@ietf.org" <draft-irtf-cfrg-kangarootwelve@ietf.org>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>
Thread-Topic: EXTERNAL: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-kangarootwelve-02
Thread-Index: AQHWgG2Ebjz5twupUEKlQGKXbShU36lzAAWA
Date: Mon, 21 Sep 2020 14:17:42 +0000
Message-ID: <9C5E0AC1-E56E-4676-9708-296465BBD87C@nccgroup.com>
References: <bc188f7e-cb30-3aaa-b6a7-88655c841751@cs.ru.nl> <ff010917-47ac-dbc6-8439-663373ddeb87@cs.ru.nl>
In-Reply-To: <ff010917-47ac-dbc6-8439-663373ddeb87@cs.ru.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.ru.nl; dkim=none (message not signed) header.d=none;cs.ru.nl; dmarc=none action=none header.from=nccgroup.com;
x-originating-ip: [24.200.215.113]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7a1a0e3b-be86-49e9-9223-08d85e391ad3
x-ms-traffictypediagnostic: MWHPR06MB3007:
x-microsoft-antispam-prvs: <MWHPR06MB30077666C60C70C088A7A50C823A0@MWHPR06MB3007.namprd06.prod.outlook.com>
campaign: C_Default
signature: S_NoSignature
disclaimer: D_NoDisclaimer
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: c5OfcfFHR/tY63mRPb0p3PvWvjiaHCkv0gzfvU4TCyVKJh83WoW0wkTk7r6p/MUf8S/dBdv3eli1/fkzRvaCTcaH2AWY1bQ3gG0j7H52dzTMEKan+EsN9zibTPlbC+bnc/Yg1lNaDrfwJ/EHF4N4KdcXI3XxQX2zMRcHuA2bwTnQBmAqKuzfu15nHW01RDa6AXzkYX4BocREBUL63dMyg6Qiier1mE2ZADTvt4oguU3fBn/K9i7WKmTlOZDn8+eu6Ai0jbX/f1jMevP8IxqGe+lhQt412dhUSSVIL/R4P0M3OyGKBacq3OoM9vcmXBl3sk8GgdmFRRhXzXVrmMgnOh5nkJWtE3FGcYYjbVPz/UTdOYPjVZ/naUe7euxUGkKx8dMpwmaOG7ZVJ9mSOaYIAg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR06MB2333.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39840400004)(366004)(136003)(376002)(396003)(346002)(966005)(66574015)(478600001)(2906002)(36756003)(2616005)(6512007)(44832011)(76116006)(186003)(26005)(5660300002)(316002)(86362001)(8676002)(53546011)(6506007)(83380400001)(83080400001)(33656002)(8936002)(166002)(91956017)(71200400001)(66446008)(110136005)(64756008)(66476007)(66946007)(66556008)(6486002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 5rCR9W+YLoajKZuahxOgP8MMte1YV19A/m/njoFQk8wQILlOXnUebBdaW68Fy+j8Cn+aJjH1J8MHtpmd6U9MbVNbOPJdNQeO30q670gtUy/Yjs8siruul0//nYTcFKpu32GRj5/wS9b6hhQWp1vAUKjRLxJCsZbc+2t+nNmzQ3Od6bObYmLWsGOZ/XrA34il67WSM6lWS4v/lcibdz5bVDYB3QALZUC1/uMCSrxYCd1jCHR+18P6tiePdBA4KmrS7g7FbQoSuX2Gi8Osn84NEpiN7eVFlSagnE81MpGX7SBy248iGP4B2NkW9Pk1b+x8jNIotGh0xXMPV+nMtICjyrCoNHcReTHXa1OM7EMTd8CvxE2nEpPA+RSLwvrRonXBKuIu4K0wUReVkw29hCA9hYcIwYDGdtr1GNTpwZfcaNPDSvwR1Yz4Cy21aZvfg9osOxXYBpHpuZ63uPA5U7l1KBXGOOLBVMAHEIHCTt7bwpFpTCtiH13LHKfbRK194voupCfJ+EDv2UPbsV6UJyh1/qIHvZU4yjbOb+TRoIjr4oUSc4mJJVspk3DY/kqnr+ytL3CnX83xVERpyeykKspuyA0h+BaaiesQeSMgVOUZjoaFzdZejJSY9gDjfzpi9N9t46CbJA6AYm1BfYUEhpX1PA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_9C5E0AC1E56E46769708296465BBD87Cnccgroupcom_"
MIME-Version: 1.0
X-OriginatorOrg: nccgroup.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR06MB2333.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7a1a0e3b-be86-49e9-9223-08d85e391ad3
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2020 14:17:42.7625 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a41111be-486b-45f6-8bd0-ee01a62f368e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: w2HXAUeCUJNOEOVOPgi1AmquQUuxCqhydeZyRjjNJEB9uCpu1jjvHPe1/pPysFhYIdO3msSI4pcutI61OZ5tEGy0hFZ6P1pMO8PrvTEkrXc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR06MB3007
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/YQL4M-FgirlKQoEkilmUgSupjms>
Subject: Re: [Crypto-panel] EXTERNAL: Re: Request for review: draft-irtf-cfrg-kangarootwelve-02
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 14:17:54 -0000

I am not in a good position to make comments on delays, since I also let this email sleep for three weeks...

Your changes look good to me.

I like the idea that the bulk of the data processing in HopMAC has no dependency on the key; it has indeed strong benefits with regard to side channel attacks. Of course, it unavoidably implies that HopMAC relies on the collision resistance of the keyless hash function. In the aftermath of the MD5 and SHA-1 attacks (in the 2000s), there has been a trend of shunning collision resistance, and insisting on using only (second-)preimage resistance; that's how, for instance, Ed25519 signatures in "pure" mode insist on generating the challenge as H(pkey+R+message) and not H(pkey+R+H(message)). This trend implies some practical limitations (e.g. "pure" Ed25519 signatures make it much more difficult to process X.509 certificates in memory-constrained environments). I think your choice in HopMAC is a better trade-off; keyless processing of the bulk of the data has tangible practical benefits, and if K12 is not collision-resistant then the foundation of its other security properties becomes quite flaky.

Thomas

From: Benoît Viguier <b.viguier@cs.ru.nl>
Date: Tuesday, September 1, 2020 at 10:38
To: Thomas Pornin <thomas.pornin@nccgroup.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "draft-irtf-cfrg-kangarootwelve@ietf.org" <draft-irtf-cfrg-kangarootwelve@ietf.org>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>
Subject: Re: EXTERNAL: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-kangarootwelve-02

Dear Thomas, Dear Alexey, Dear Crypto Panel members,

We would like to thank you for your time into reviewing our draft
and providing us with your constructive comments.

We apologize for the delays (corona & vacations...) and provide you here with
our modifications to the draft: https://github.com/cfrg/draft-irtf-cfrg-kangarootwelve/commit/70eff423aa57e9e34121951da2764b5ed73df988<https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcfrg%2Fdraft-irtf-cfrg-kangarootwelve%2Fcommit%2F70eff423aa57e9e34121951da2764b5ed73df988&data=02%7C01%7Cthomas.pornin%40nccgroup.com%7Ce1e346d59c784399ad6b08d84e84a3e7%7Ca41111be486b45f68bd0ee01a62f368e%7C0%7C0%7C637345678881062176&sdata=s4Pc12tumBCNxqhLGREPxcpTvDU%2F5eyV6awv9a9fQmE%3D&reserved=0> .
On 7/17/20 11:57 PM, Thomas Pornin wrote:

Here is my review of draft-irtf-cfrg-kangarootwelve-02:



General comments:



The function is well described. The specification is not self-contained

since it relies on FIPS 202, but that's not a problem in my opinion (there

already are other RFCs that reference FIPS 202).



The function already exists and is specified in a note published on

eprint since 2016, so there is no point in changing it now; this is an

RFC that describes an existing situation, not one that introduces new

stuff (otherwise, I would insist, for aesthetical reasons, on making

length_encode() use little-endian instead of the current big-endian).
Additionally we added links to the publications at the ACNS
conference 2014 and 2018 for KangarooTwelve and the Sakura tree hashing.

Some poor soul, somewhere, will want to make a MAC out of K12 and will

try to use it in HMAC. This is probably not a very good idea, though

it won't be weak. HMAC requires knowledge of the "block size" of the

algorithm, so that block size should be specified somewhere. Intuitively,

I suppose the "block size" is 168 bytes, but it would be better to state

it explicitly somewhere.



Also, some guidance about a better way to turn K12 into a MAC would be

helpful. Normally, a simple K12(key || data) would be enough, provided

that the concatenation of 'key' and 'data' is unambiguous. It is

tempting to use the key as customization string, but then, you do not

have a customization string anymore. A related question is whether the

MAC output length should be part of the input/customization string.
We added a paragraph on that subject in the Security Consideration section.
We present HopMAC(K, M, C, L) = K12( Key, K12(M, C, 32), L) to describe
a way to build a MAC from K12.



Particular comments:



page 2: "splits the input message in fragments" -> "splits ... into fragments"

(also page 3)
Edited.


 page 3: "does not have overhead": this is a bold statement. What is meant

here is that the tree hashing mode of K12 does not introduce _additional_

overhead (due to the tree hashing mode) compared with, say, SHAKE; but

there remains the elementary overhead which makes it so that, for instance,

hashing 10 bytes is not less expensive than hashing 120 bytes.



Speaking of overhead, it may be worth pointing out that the tree mode

implies maintaining two separate Keccak contexts (at least for inputs

longer than 8192 bytes), hence double the RAM usage; this may matter

for constrained embedded devices (i.e. low-end smartcards and

microcontrollers, where 200 bytes of RAM are a lot).



page 4: "from n to m exclusive" is a bit confusing since byte at index m

is excluded, but byte at index n is included. Maybe: "selection of bytes from

index n (inclusive) to m (exclusive)"? Also say somewhere that the first

byte of a string has index 0 (i.e. this is C/Rust, not Pascal).
Edited.


page 4: "x**y denotes x multiplied by itself y times" -> this would

actually be x**(y+1) (if you multiply x by itself _once_, you get x*x).
Edited.


page 4: "the number of output bytes requested" -> this lacks a verb;

probably: "is the requested number of output bytes"
Edited.


page 5: "First the message is padded with zeroes to the closest multiple of

168 bytes.  Then a byte `80` is XORed to the last byte of the padded

message.  and the resulting string is split into a sequence of 168-byte

blocks."

-> This could be made clearer, first to indicate that it is the length,

in bytes, of the padded message which is to be a multiple of 168; also,

that the "closest" is really a rounding-up (e.g. with a 169-byte input,

we really need to append 167 other bytes, even though 168 is arguably

much closer to 169 than 336). There should be an explicit specification

about what to do if the input size already has a size multiple of 168:

should we add 168 extra bytes of value zero, or none at all? Note that,

in the latter case, there must be a special case for an input of length

0: if the padded input consists of no byte at all, then it becomes

difficult to XOR 0x80 into "the last byte".
We clarify that the length of the F function is positive.
This resolve the problem of inputs consisting of no bytes.
In the definition of KangarooTwelve in section 2.2, there are no calls to F
with input of length 0.

We clarify the rounding up to the next multiple of 168.

(Three paragraphs later, we learn that the input length is at least

1 byte, which avoids any issue related to a zero-length input; this

should probably be explained a bit earlier in the text.)
Edited.


 page 11: "against all attacks" (end of first paragraph of section 5):

this lacks a final dot.
Edited.




Thomas

We are open to any additional feedback.

--

Kind regards,



Benoît Viguier

Software Engineer - PhD Student | Cryptography & Formal Methods

Radboud University | Mercator 1, Toernooiveld 212

6525 EC Nijmegen, the Netherlands | www.viguier.nl<https://gbr01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.viguier.nl%2F&data=02%7C01%7Cthomas.pornin%40nccgroup.com%7Ce1e346d59c784399ad6b08d84e84a3e7%7Ca41111be486b45f68bd0ee01a62f368e%7C0%7C0%7C637345678881067157&sdata=bxZRTB5IWIUpqrBgVBRrXvguBjmBgJ%2Fl9wtkc09aAPo%3D&reserved=0>