[Hipsec] Using cSHAKE for ORCHID

Robert Moskowitz <rgm@htt-consult.com> Thu, 22 August 2019 21:11 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1219412012A for <hipsec@ietfa.amsl.com>; Thu, 22 Aug 2019 14:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id BgtFXysxyfJC for <hipsec@ietfa.amsl.com>; Thu, 22 Aug 2019 14:11:28 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B427F1200A4 for <hipsec@ietf.org>; Thu, 22 Aug 2019 14:11:28 -0700 (PDT)
Received: from localhost (localhost []) by z9m9z.htt-consult.com (Postfix) with ESMTP id 6973A6210F for <hipsec@ietf.org>; Thu, 22 Aug 2019 17:11:27 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([]) by localhost (z9m9z.htt-consult.com []) (amavisd-new, port 10024) with LMTP id 8orznCtzjgMG for <hipsec@ietf.org>; Thu, 22 Aug 2019 17:11:25 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown []) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 832E460964 for <hipsec@ietf.org>; Thu, 22 Aug 2019 17:11:23 -0400 (EDT)
To: HIP <hipsec@ietf.org>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <5778180d-eee9-7979-5bae-e144ba68c5ac@htt-consult.com>
Date: Thu, 22 Aug 2019 17:11:15 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/4o6el7MaEG5Fq6U3vrd5ZxWyP3g>
Subject: [Hipsec] Using cSHAKE for ORCHID
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 21:11:31 -0000

I am working on a new set of crypto for HIP.  This is to take advantage 
of advancements and hopefully make things better in small things.

I have been looking at FIPS 202 and NIST 800-185 for the new hash and 
MACing.  In particular SHAKE and KMAC.

Right now, NIST only specifies b=1600 for the KECCAK function under 
these, but b=800 is also possible and for SHAKE128 and KMAC128, b=400 is 
also an option.  I have informally heard that NIST is working on how 
these smaller sponges can be used where appropriate (small things).

But let's ignore the sponge size for the moment.

In my reading of RFC 7343 and cSHAKE for 800-185, we could replace:

encode96(sha256(Context ID|Input)) where sha256 is from the OGA ID


cSHAKE128(Input,96,"",Context ID)

I invite others to look at 202 and 800-185 and see what I am talking 
about here.

For Hierarchical HITs it changes to:

cSHAKE128(Input,64,"",Context ID)

Though where Input is only the 32 bytes of ed25519, I need to research 
this more for overall strength, but 202 seems to say that it does work 
well with very short inputs.

Looking for other's thoughts on this.