[Lake] Review of KMAC in draft-ietf-lake-edhoc-08
Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 30 July 2021 19:48 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0033A0CE8 for <lake@ietfa.amsl.com>; Fri, 30 Jul 2021 12:48:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEqcWAEoExce for <lake@ietfa.amsl.com>; Fri, 30 Jul 2021 12:48:50 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14E463A0CDF for <Lake@ietf.org>; Fri, 30 Jul 2021 12:48:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 1D51C62769 for <Lake@ietf.org>; Tue, 5 Jan 2010 03:37:45 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id LWDLzFTebX6f for <Lake@ietf.org>; Tue, 5 Jan 2010 03:37:40 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.29]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id A237562620 for <Lake@ietf.org>; Tue, 5 Jan 2010 03:37:39 -0500 (EST)
To: Lake@ietf.org
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <64717eb2-84db-f5a1-2ad1-9d71d8d4f51c@htt-consult.com>
Date: Fri, 30 Jul 2021 15:48:38 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/56zEoKFYkG3zY9OElm20tIXgEwM>
Subject: [Lake] Review of KMAC in draft-ietf-lake-edhoc-08
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 19:48:54 -0000
Greetings Lakers. ;) From a Great Lakes person (only one I have not swum in is Ontario and let me tell you, Superior is COLD!). I have looked at your use of KMAC and it is a good start, but not as good as can be done with KMAC. Please see my draft: https://datatracker.ietf.org/doc/draft-moskowitz-hip-new-crypto/ Not only do I use KMAC for HMAC replacement, but also as the KDF. I also include Xoodyak, one of the NIST LWC finalists of which only 4 include hashing. This draft has been implemented in openHIP and reviewed by Team Keccak. WRT to use as a KDF. In my discussions with NIST and Team Keccak (including F2F at IACR RWC Jan '20) KMAC directly does the extract-and-expand. You do not need to invoke KMAC twice. In SP800-56Cr1 sec 8.3, KMAC is not included in a 2-step KDF as it is waiting SP800-108 update. But in my research I see KMAC doing exactly what it takes the two HMAC steps to accomplish. Team Keccak has confirmed this revaluation. NIST has hedged its position, as one would expect, but they have not said no (again F2F discussions in Dec '19). Further you should point out that HMAC needs 2 hash operations to KMAC's single sponge invocation. This is an important performance consideration in constrained devices. Even if SHA-256 is marginally faster than KMAC-128 (same strength), it is not twice as good. On top of that KMAC as a KDF replaces two or more HMACs (depending on how many key bits needed). Again a performance gain. I would be happy to work with the draft authors on changes in KMAC usage. Also NIST is stating that the LWC will conclude by end of 2021. It behoves Lake to look hard at the LWC finalists that do hashing. This could be saved for a separate draft, depending on expected completion and last call of lake-edhoc. thank you for consideration.
- [Lake] Review of KMAC in draft-ietf-lake-edhoc-08 Robert Moskowitz
- Re: [Lake] Review of KMAC in draft-ietf-lake-edho… Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Review of KMAC in draft-ietf-lake-edho… Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Review of KMAC in draft-ietf-lake-edho… Robert Moskowitz
- Re: [Lake] Review of KMAC in draft-ietf-lake-edho… Robert Moskowitz
- Re: [Lake] Review of KMAC in draft-ietf-lake-edho… Robert Moskowitz
- Re: [Lake] Review of KMAC in draft-ietf-lake-edho… Göran Selander