Re: [Lake] Review of KMAC in draft-ietf-lake-edhoc-08

Göran Selander <goran.selander@ericsson.com> Wed, 25 August 2021 08:26 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2549D3A0063 for <lake@ietfa.amsl.com>; Wed, 25 Aug 2021 01:26:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.543
X-Spam-Level:
X-Spam-Status: No, score=-2.543 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxBI_X57yORj for <lake@ietfa.amsl.com>; Wed, 25 Aug 2021 01:26:12 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20079.outbound.protection.outlook.com [40.107.2.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D917B3A005E for <Lake@ietf.org>; Wed, 25 Aug 2021 01:26:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nx5nIG4EeLOOGRK69ZN8xm/jM0VOqtqVn8Fv9tUFXhuWGRLkJyt0fKkVZlFvCcMwtW52vopI/pBBtsqDbhrNwlzPAtMKwQEkJ0N+rJGNEXYme0298Q5QStBQF6FhWTADLON/dcKmKA5nENJKcKx2PLtKjD0xT2WBw/74v6EDQedN4d1hOuBWJ4VJwBvx8thBDsbnBZLM9xYYmrO4u7h/slCflOBcsXXF0ds/4+Ma6lb6wKIWhvaaivY547+1N2JZSit3Ro5Y/cgaruszioH8jmKKZdeugtV/lRX+QngTUyrUjKJqtwdNHTBqa1Ke4AilwIpVABBlU7bIaW+uWTrvHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xxhaztejqFPvA6KnUaLAR5f9KQEw+t2nfgoOJT22MAo=; b=JTyaObj5vr6K3oX45Wn022I7FRaka7Vkfvcq+3K02WBxPynBk4GsTOChp1puvBs4+tMZ+6jFdT9BOIjFuoFsoTwcY2usAlB8t1MIo949oWmQekR+tjOAy0fn3oSeLsE1lBQadQ3Jy1ny93csDLXS6shlrZ+66OUTPS9A9HkDkaAmzsijGg4Kwj3POCWdobiPgMFgB82TBZgeOsaNmngWt63zatujOOp+d+7NEy2UVoRTDpo2IhKvyIKTmzRgnhtHdYb8eVma9Grmh0DOJmHZEH9VN6cK17QZO5wc3DYPxZLsQsP2l39sitH7Va5cuajKgmk9EGRwd/9XsALao5OBWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xxhaztejqFPvA6KnUaLAR5f9KQEw+t2nfgoOJT22MAo=; b=pyjJwisS0fPpiYHTWd+OrQDJBFzDYyQdscuHeJugPDqD+3gI7BNYJom9CzTgdGa5db0wIYXyXwcvwgV1glzG9b8aoG5t2gsFm20U+5kZl6dwT8MVxF3hh/POabOxJtEv1FwBJEBUIkJ5hGq8d2StikGZcgJF0Q3D2eTC80zrPT8=
Received: from HE1PR07MB3500.eurprd07.prod.outlook.com (2603:10a6:7:31::20) by HE1PR0701MB2778.eurprd07.prod.outlook.com (2603:10a6:3:98::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.14; Wed, 25 Aug 2021 08:26:08 +0000
Received: from HE1PR07MB3500.eurprd07.prod.outlook.com ([fe80::a141:8e66:ce19:813d]) by HE1PR07MB3500.eurprd07.prod.outlook.com ([fe80::a141:8e66:ce19:813d%7]) with mapi id 15.20.4457.017; Wed, 25 Aug 2021 08:26:08 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, "Lake@ietf.org" <Lake@ietf.org>
Thread-Topic: [Lake] Review of KMAC in draft-ietf-lake-edhoc-08
Thread-Index: AQHXhXv2sJVS1fM72kOAykPkYyjbA6uCyC8A
Date: Wed, 25 Aug 2021 08:26:07 +0000
Message-ID: <F3DE4C94-959F-410C-8723-46BBC9DA2D52@ericsson.com>
References: <64717eb2-84db-f5a1-2ad1-9d71d8d4f51c@htt-consult.com>
In-Reply-To: <64717eb2-84db-f5a1-2ad1-9d71d8d4f51c@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.52.21080801
authentication-results: htt-consult.com; dkim=none (message not signed) header.d=none;htt-consult.com; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b8910ccb-3582-4cc3-1b0a-08d967a1fd06
x-ms-traffictypediagnostic: HE1PR0701MB2778:
x-microsoft-antispam-prvs: <HE1PR0701MB27781E9C4F2CFC8B906A4CC2F4C69@HE1PR0701MB2778.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ++VbsfSwXEjaHOlI4nnbk7uDjvyUEk+1AAQTYWKjBJtrbB2/RbhmGC+rTJvIVkgmN8JlJI5r6pAfpTeQSKd9IlMdFkVp+TETMjbar0AdmcvhNS/rGNd+fLBy81lW2hG7qI+5UBgisRA9QYKBU44f0qHLliUyS5MvDm99RXYt1OU40DHoM+hzVgnIU6+yJuwaozzcq3fY2ySDSxyMVdFNiJmr1a5fcBMFgt1gbNY6dR7iDrR+9c+YCBY5EaMOWnnG5TcRfUqEn/7Wg9NX/dVerob/ICFskTOjKFtsO5jCC7wJG5ond7Enr2rblTpQpxGD7YYXQawlr+QxmEMOKX1JDGaUcnsZiIkcqHF/b7rqr+TMpcydmnZ9O7xy4YPW0O9rkmxg7wVLMPjrUL6cE1mcXsF6z3b622F8DcYb32nLgIMdABz/qM6RtZGQmMNthkWMamLjthYDZqDJ4tnh8I4ZV52L8CUYjVIAJGupz8x1x0C92Pqtd8plX+Cd6Ghjnh/RfvNGnmCQLMjPg3tjQv5INVBjSz71BhIKAMPdUgYXNhliwANmru9B8qYLKIIdu/XLHiMunY+RAjPwN/xGvkCHbXVDFbq91Lw2vqjmleP0U0v7RgIojSWNndZXHoDMBR0zhZXLyoQcEVbd/bhsWxvu/a+uxojcR8sXUUet0f/sSWQuHHrSPnEnrnWx/+D+4MS7c9+KIezWD27aLxw0LS0JXjNnF1LB+eMmSKD1di/9PU/+5Ytc/qnY7ExtcMvTE4zxB8ihXWkJcKTXMdrnaKGHfHEl8HDqDElUo+HX/ZANHZw0rfOZG9+HDm3HA/BD42Ny
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3500.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39860400002)(376002)(366004)(136003)(396003)(6486002)(8936002)(76116006)(85202003)(86362001)(122000001)(38100700002)(2906002)(110136005)(6506007)(85182001)(478600001)(6512007)(186003)(53546011)(36756003)(83380400001)(71200400001)(66446008)(2616005)(66574015)(26005)(66476007)(8676002)(66946007)(5660300002)(316002)(966005)(66556008)(64756008)(33656002)(38070700005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?cFlMeXZNYTdBajRpd0RTbHBzNW83d09rS29nRDlneFhuTzJlUFZKb1V2eFBm?= =?utf-8?B?YjcvVE5BSElybmpwUDZubktwaG5RUUhmWU5ZZ2VRZVVZNmxZSzkxb2graFBv?= =?utf-8?B?emlYSDZ2TXdMMk5CR1ZTd3Mwc1ZwZkVxOUlHNUVuMllKVm5PMHA2MFBMWEVR?= =?utf-8?B?SkZtbFhuMGt3NVF6NkFjTVRTTkVmQ0tYelNwRUg2R0s1OXRkakxzZTM1YkE1?= =?utf-8?B?cHNDeWFUbmxkVk41Z3ljekxZT2toN3hndTd2bzJHREdLUFArRGNxVDJLSHVp?= =?utf-8?B?SVFva1ljR2M4REZ3Q3d4aUJqSjkrQUpiaDA4VTZybTJJQTRGNnZsVXVGMm11?= =?utf-8?B?SjJncTJISWpFRHFkK1BwQWRPMkRJZXhJLzErQ2RUUFNVRnZ0RTJLa2Zycktr?= =?utf-8?B?RkdjOW9SL3NDWlV0Sm56SGRMRVo1dENwV3d2N3pic2VWWDVyWGQrdGdnUUNF?= =?utf-8?B?cEZyQXEwN2RBN1lXd21oUkcvcXJobkt4TGZPb201YUR5R09yU2xGU256ZEI2?= =?utf-8?B?N3R0WVBZajlBczgxaFBMWTBXektCTEE1QmpxQUI3S2VCRFFFbjdhS3FvT25K?= =?utf-8?B?Wk9vV3FXRFpFSHVsM0JCTFlLVU9kZWRhS1VvVUt2bktha1dYVmpvRGg4NkRk?= =?utf-8?B?d1prd0ExNVpxSUpqOU5CZ24zVHlxelVuZk9IbmRac2RrTHF3elNldSttbGpj?= =?utf-8?B?WlRoT2VLTDQzZUtuV3hHSy94eVQ0OXpwZlRkMWhrNWNET2QwRm1XVVdGTGNJ?= =?utf-8?B?Q1RVSEFiQWdBYk5IVEZvRGdWMWo0SHJvYzBVZ3MxQmMxL041UGo2SVVOdG5w?= =?utf-8?B?Rm9UZnZHZzE0SzQ0WnZkVTVjMS8zYzB5TkhFOEVTVXNqVVEyem0yKzJYY0tF?= =?utf-8?B?VjlkVTNqbGYzYldET3JPYm1WaVQyTjlnQ1U5bkZQWGlHQ0VyZmlYck5EWVRS?= =?utf-8?B?WlJuQ0Y1TXMrWk9zSlNqQk9rajR4MWYyYmJpSjU0Y3ZkbXNZVzgrdDBvMDdi?= =?utf-8?B?M2lyekpqVGh4Z295WThrQzVrS2lmTWNvVHpPZG9SWFVxY2JKRkgzOUYyLzAx?= =?utf-8?B?eXpPRmd5NUtQN21VcytXeVY4aEdET3hyVHRmOWxoUUwwYXB2OVNQZUlPc25s?= =?utf-8?B?L3hMYUdyc1U4bFlMVVpHUjZkVzhSaXVSeUQ1OU9lMUc3MEYwMkxNOTQ2ODVW?= =?utf-8?B?c2xqazJrUjhLOUIxc1hUR3RkbWxEa05FdHgyNkpPV2syM0tKQXlCMmNtS2Ew?= =?utf-8?B?TndLZ2pDbUpKMlh6NnE2YkUxWEdZMGt2R1FNNk1OYUNobHF3aXIyVzg4YTUz?= =?utf-8?B?cUhkOXFocUthSkNkOCtxOWVFT2lZdWlUWVRxK0JtVG5xQS9QTCtEWU9GdUJS?= =?utf-8?B?dXZjdlNhT2RBaXJVSU5wSVpVN01wcDArUE91QWtJVFM0emtXbzR2alVBZkFR?= =?utf-8?B?Wmc5eHowSHRxRzhlVGtsZkhQU3pBQUdxRVF1dmFBM0RmZk9MSVNJa0s1WmlB?= =?utf-8?B?QnJPNFkzak1Da2FiVEJWaUF4WEI5YTdTcnRGQnRLK3FpQ3VZdkM4VjdBMDcw?= =?utf-8?B?dzlxNmZNeGowVWlKRm5aY1Zna0R5SDBPazE5ZkJadjhnZ2RFOUNXazh6UExm?= =?utf-8?B?ZnN6MzdJS3M3UGE1VnMvTUNBdEw0UGNtUzkvYkVja3pOREdRbERkQ3lJVWln?= =?utf-8?B?TnlQcGpWdkRuV3o0RERWNU9OQW5oejVmQk53cHpob1p3SW8vSm1icktIcWtv?= =?utf-8?B?RFVEdjdVS2tBdHY5N3ZMeC8xOURUcGYxYitiQ1lyd2ZMTi80Ri9XVHArR0ZG?= =?utf-8?B?Q2laSXFNaHYwcGV1Z3hpdz09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <672D64DEFAFD7A48B7BC0B67800CF410@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3500.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b8910ccb-3582-4cc3-1b0a-08d967a1fd06
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2021 08:26:08.0767 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: j+d6My6LLHDzsg4tx5HhYyldVJikVH3sYlDwkxjkhbjGpHYteJ6RLBnZd8Hx7o3iZ5h/NMCkp97rL1/TAqgsZmCUQE2i6TFP0jemW33XZ/Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2778
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/ysPN6IvwOHoCB5Hov11mJm2Ykss>
Subject: Re: [Lake] Review of KMAC in draft-ietf-lake-edhoc-08
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2021 08:26:18 -0000

Hello Bob, 

Sorry for slow response. 

Thanks for comments and for your input to this topic! One trigger for bringing in KMAC into this draft in the first place was actually a CFRG thread which you contributed to. At the time we did consider something like what you are proposing in this mail. While it would reduce the number of hash operations it would require quite some changes in the key schedule (see Fig.2 on p.214 of [1] for a not quite up-to-date but nicely drawn figure). Considering the cost for hash operations in comparison to e.g. the public key operations needed we didn't think this optimization warranted a different key schedule for HMAC and KMAC. 

Thanks
Göran

[1] https://www.scitepress.org/Papers/2021/105540/105540.pdf



On 2021-07-30, 21:49, "Lake on behalf of Robert Moskowitz" <lake-bounces@ietf.org on behalf of rgm-sec@htt-consult.com> wrote:

    Greetings Lakers.  ;)

     From a Great Lakes person (only one I have not swum in is Ontario and 
    let me tell you, Superior is COLD!).

    I have looked at your use of KMAC and it is a good start, but not as 
    good as can be done with KMAC.  Please see my draft:

    https://datatracker.ietf.org/doc/draft-moskowitz-hip-new-crypto/

    Not only do I use KMAC for HMAC replacement, but also as the KDF.  I 
    also include Xoodyak, one of the NIST LWC finalists of which only 4 
    include hashing.

    This draft has been implemented in openHIP and reviewed by Team Keccak.

    WRT to use as a KDF.  In my discussions with NIST and Team Keccak 
    (including F2F at IACR RWC Jan '20) KMAC directly does the 
    extract-and-expand.  You do not need to invoke KMAC twice.


    In SP800-56Cr1 sec 8.3, KMAC is not included in a 2-step KDF as it is 
    waiting SP800-108 update.  But in my research I see KMAC doing exactly 
    what it takes the two HMAC steps to accomplish.  Team Keccak has 
    confirmed this revaluation.  NIST has hedged its position, as one would 
    expect, but they have not said no (again F2F discussions in Dec '19).


    Further you should point out that HMAC needs 2 hash operations to KMAC's 
    single sponge invocation.  This is an important performance 
    consideration in constrained devices.  Even if SHA-256 is marginally 
    faster than KMAC-128 (same strength), it is not twice as good.

    On top of that KMAC as a KDF replaces two or more HMACs (depending on 
    how many key bits needed).  Again a performance gain.

    I would be happy to work with the draft authors on changes in KMAC usage.

    Also NIST is stating that the LWC will conclude by end of 2021.  It 
    behoves Lake to look hard at the LWC finalists that do hashing. This 
    could be saved for a separate draft, depending on expected completion 
    and last call of lake-edhoc.

    thank you for consideration.

    -- 
    Lake mailing list
    Lake@ietf.org
    https://www.ietf.org/mailman/listinfo/lake