Hi,
1) Using cSHAKE/KMAC seems nice, but I don't know the details of how it affects implementation complexity/performance. I trust NIST/the authors to make right choices.
2) Yes. I think it is a good idea to use a 12-round version of Keccak ("TurboSHAKE") . As stated, TurboSHAKE seems to be a cryptographically secure hash function with a good margin. I don't see any problems using it for the Kyber XOF which have lower requirements. I don't think phrasing Kyber in terms of Keccak is a disadvantage. I think is it essential that implementations support lower-level functions like Keccac-p and the AES round function. FIPS 202 clearly states that other KECCAK-p permutations may be specified in the future. Any implementation not adhering to this have themself to blame. Kyber will likely be with us for many decades, optimize for the future, not HW already on the market.
Cheers,
John
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-23f1e0775bec839e&q=1&e=ac8cfa17-34b0-4bb7-bb91-d4d4469c80a4&u=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsgid%2Fpqc-forum%2FY4vx7fyh%2FDWcjGrv%2540disp3269.
Both of these proposals make sense. However, I’d like to underscore the importance of:
I’d love to see TurboSHAKE there – assuming NIST makes it a standard.
Thanks!
P.S. If that NIST-blessed PRF turns out to be SHA2-based, not SHA-3, I’ll welcome that, as it seems that the world-wide PKI is stuck with SHA-2 for foreseeable future – thus all the PK-related crypto will have to support it no matter what.
P.P.S. If the world decides that one standard secure hash family is enough, and deprecates either one of the two (I don’t particularly care which one), it would be great. Of course, I doubt I’d see it, but one is allowed to hope… ;-)
--
V/R,
Uri
There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/HE1PR0701MB3050431EFB913EAC9C524FA989199%40HE1PR0701MB3050.eurprd07.prod.outlook.com.
Thanks, Mike.
We have looked at a softcore based design with a SHAKE coprocessor (without the NTT acceleration). Our findings support your comments below.
The actual changes to the code to go to 12 rounds seem rather minor (granted we are not working on a production-quality implementation).
The software-only version, of course, is a different story.
-david
From: <pqc-...@list.nist.gov> on behalf of Mike Hamburg <mi...@shiftleft.org>
Date: Friday, December 9, 2022 at 9:54 AM
To: Peter Schwabe <pe...@cryptojedi.org>
Cc: "Markku-Juhani O. Saarinen" <mjos....@gmail.com>, pqc-forum <pqc-...@list.nist.gov>, John Mattsson <john.m...@ericsson.com>, "Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu>
Subject: Re: [pqc-forum] Kyber decisions, part 1: Symmetric crypto
On Dec 9, 2022, at 1:14 PM, Peter Schwabe <pe...@cryptojedi.org> wrote:
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/D58209AC-08F2-4854-813D-06FB0875C2F4%40shiftleft.org.
At the 4th NIST PQC Standardization Conference, Gilles Van Assche gave a talk entitled "12 round-Keccak for secure hashing". Shortly after, Peter Schwabe asked for feedback (on behalf of the Kyber team) if the generation of the public matrix A should use a 12-round version of Keccak (i.e. "TurboSHAKE") instead of the standard 24-round version. The main reason for the change would be that using TurboSHAKE would speed up one of the costly subroutines of Kyber by about a factor of 2.
NIST appreciates the feedback provided back to the Kyber team on the pqc-forum. There were several advantages and disadvantages pointed out. We carefully read the arguments, and also discussed the question with our larger crypto team (and not just our PQC team). We wanted to let you know that we are NOT planning on incorporating a 12-round version of Keccak for any of the PQC standards we are currently working on. Our reasons for making this decision are provided below.
While speedups would be welcome, in our view the overall effect on a fully implementation of Kyber (or another PQC algorithm) would likely be modest - something on the order of around 20-25% or so. However, this would be a significant change to make, which would obviously be occurring after the third round, which means it may not receive as much public scrutiny and analysis. While the security requirements on the output of a reduced-round version of Keccak used for generating the A matrix are weak, we do not feel they have been completely described and studied. The Kyber team also pointed out a disadvantage in that moving to a 12-round version of Keccak would require phrasing the function in terms of lower-level functions of FIPS202 instead of simply using one of the SHA3/SHAKE functions. Considering the above, we did not feel the potential advantages outweighed the disadvantages. NIST encourages further study of TurboSHAKE.
Dustin Moody
NIST PQC team
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
2.) Should the generation of the public matrix A use a 12-round version
of Keccak ("TurboSHAKE") instead of the standard 24-round version.
This was proposed by the Keccak team and speeds up one of the most
costly subroutines of Kyber by a factor of 2. All properties one
would expect from a hash function are achieved by Keccak with 12
rounds (by a comfortable margin!). Also, the requirements on the
output of this function are rather weak; informally it should look
uniformly random and not interact in weird ways with the lattice
problems. The main disadvantage of moving to a 12-round version of
Keccak is that it requires phrasing the function in terms of
lower-level functions of FIPS202 instead of simply using one of the
SHA3/SHAKE functions.
Regardless of whether NIST standardizes “TurboSHAKE” or not?
--
V/R,
Uri
There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e91446b7-8f1d-42d6-8cf7-47f71eb8d33cn%40list.nist.gov.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e91446b7-8f1d-42d6-8cf7-47f71eb8d33cn%40list.nist.gov.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/BN0P110MB141974D1E86C0C5F763058C5908E9%40BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM.
Hi @Adam.
I’m looking at figure 4 of FIPS202 (“Table 4: Security strengths of the SHA-1, SHA-2, and SHA-3 functions”.)
Have the security strengths for TurboShake128 and TurboShake256 been documented?
From: 'Adam Langley' via pqc-forum <pqc-...@list.nist.gov>
Sent: March 30, 2023 9:55 AM
To: pqc-forum <pqc-...@list.nist.gov>
Cc: Peter Schwabe <pe...@cryptojedi.org>; aut...@pq-crystals.org <aut...@pq-crystals.org>
Subject: [pqc-forum] Re: Kyber decisions, part 1: Symmetric crypto
On Saturday, December 3, 2022 at 5:04:05 PM UTC-8 Peter Schwabe wrote:
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e91446b7-8f1d-42d6-8cf7-47f71eb8d33cn%40list.nist.gov.
Hi @Adam.
I’m looking at figure 4 of FIPS202 (“Table 4: Security strengths of the SHA-1, SHA-2, and SHA-3 functions”.)
2.) Should the generation of the public matrix A use a 12-round version
of Keccak ("TurboSHAKE") instead of the standard 24-round version.
This was proposed by the Keccak team and speeds up one of the most
costly subroutines of Kyber by a factor of 2. All properties one
would expect from a hash function are achieved by Keccak with 12
rounds (by a comfortable margin!). Also, the requirements on the
output of this function are rather weak; informally it should look
uniformly random and not interact in weird ways with the lattice
problems. The main disadvantage of moving to a 12-round version of
Keccak is that it requires phrasing the function in terms of
lower-level functions of FIPS202 instead of simply using one of the
SHA3/SHAKE functions.