But early on the submitters went for SHA3 as following a question on this forum it was stated NIST preferred when using a RO in a XOF construction to have one which was actually one which could be proved indifferentiable. This leaves only the SHA3 based XOFs from the NIST standards.
Is this preference now changed in that if a XOF theoretically is required then one can use an AES based PRG instead?
On 24 July 2020 22:37:37 CEST, "'Perlner, Ray A. (Fed)' via pqc-forum" <pqc-...@list.nist.gov> wrote:
Hi Simon,
SHA2 and AES are as much NIST approved cryptographic primitives as SHA3 and SHAKE. When standardizing public key cryptography that uses symmetric primitives, NIST has historically tended to write our standards in such a way as to accommodate the use of any NIST approved symmetric primitive that implements the appropriate functionality. We anticipate that parties who implement our standards will have a variety of different preferences regarding NIST approved symmetric primitives, and NIST will likely continue to seek to accommodate those preferences as long as it doesn’t harm security. As such, we think it’s great that the submitters are thinking about the available options now.
--The NIST PQC team
-----Original Message-----
From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> On Behalf Of Simon Hoerder
Sent: Thursday, July 23, 2020 1:36 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] "90s" version parameter sets
Hi,
some candidates that progressed to round 3 have proposed additional "90s" version parameter sets that replace SHA-3/SHAKE with AES/SHA-2.
What is NIST's position on those parameter sets?
In particular, does NIST only consider them as a crutch to estimate performance in the "what would it look like if chip x had a SHA-3/SHAKE hw accelerator instead of AES" scenario? Or is NIST considering to include those parameter sets in a standard given that AES/SHA-2 have wide-spread hw support?
I understand that NIST probably doesn't have a definite answer to this question. Just trying to get a little more clarity on the state of the competition in that respect.
Thanks,
Simon
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-...@list.nist.gov.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20200725133302.GS1856%40disp2634.
That's true, but at least for Kyber, a large portion of the AES
computations are used to expand the public matrix A, so there using a
table-based implementation is fine.
Obviously there are details that I am missing, that you would understand. I
simply wanted to stress that the importance of AES hw support should not be
underestimated.
I therefore wonder if having long term hw(hopefully)/sw and short term hw/aes
variants might be a good way to go?
>> Most new cortex m3/m4 chips now have AES constant time available.
> You mean as coprocessors, not as part of the ARM Cortex-M4 core, right?
I mentioned a separate processor but energy micros chips that silabs acquired,
have had memory mapped AES hardware on their cortex-m3s for > 10 years.
I haven't done an analysis but I know that our server product has AES hw
acceleration in both it's main processor and it's microchips. I find it hard to
believe that anyone would produce a design without hw AES being available these
days. I even implemented a CHACHA PRNG in sw but then dropped it when the new
chips with AES TRNGS, came out.
> How many of these CPUs does the same software support?
I'm not sure that I understand this question? I'm not actually a huge fan of
AES-GCM and prefer AES-SIV myself, but then I am not running a huge cloud service.
"Looking forward to NIST's comments on whether NIST will, for
non-performance reasons, penalize NISTPQC submissions that upgrade from
AES-256-CTR to ChaCha20."
Indeed, we will also “penalize” NISTPQC submissions that upgrade to Haraka, Ascon, Whirlpool, MD5, BLAKE2, Simon, SM3, or Bass-O-Matic cipher in exactly the same way.
The PQC standardization process is not a competition to choose new symmetric primitives to standardize. (We have one of those going on, too—the lightweight cryptography standard.) Chacha is not a NIST standard, any more than Simon or SM3. Perhaps this is a terrible oversight, and we should have standardized all three. Perhaps we should consider standardizing them in the future. But right now, none of them are NIST standard algorithms, and so we’re not going to treat them as though they were a NIST standard. There are a *lot* of perfectly fine crypto algorithms that aren’t NIST standards.
We want to measure the performance of these PQC algorithms with NIST standard algorithms, so that we can assess how they will work out when used in FIPS compliant hardware or software. We want, as much as possible, for the analysis of these submissions to be something that stands alone, rather than something that turns on some additional cryptographic primitive that we have to analyze at the same time as we analyze all the other parts of the submission.
Now, we aren’t offended if you want to do an implementation of SPHINCS+ based on Haraka (as you have done) and show its performance numbers. That’s kind-of interesting to see. But we’re not going to compare that performance to the performance of other schemes that used SHA2 or SHA3, because that wouldn’t be a fair comparison.
If we eventually standardize (for example) SPHINCS+, we will be expecting FIPS compliant implementations to use NIST standard hashes--SHA2 or SHA3. That’s true, even though Haraka may be just fine in security terms in this application. It’s true, even though some other people not worried about FIPS compliance will implement SPHINCS+ with Blake2 or SM3 or Streebog. The performance numbers that matter for us are the ones using NIST standard algorithms, both for the headline stuff like hashing, and for more complicated stuff like expanding a seed into a large string. Because when we standardize some of these schemes, their performance is going to have to be based on NIST standard algorithms, because that’s what they’ll be using.
There are places where using a nonstandard algorithm is defensible--consider the use of LowMC in Picnic. But also note that the use of this nonstandard algorithm is a major source of concern for us in any eventual standardization decision, and also that the Picnic designers have to spend extra time justifying the way LowMC is used in Picnic (it’s not really assumed to be a general-purpose secure cipher--the attacker basically gets one plaintext/ciphertext pair under an unknown key and can forge signatures if he can find any key that maps the plaintext to the ciphertext.).
Suppose someone sticks a PRG based on Simon into their PQC submission to improve its performance. We are not obliged to accept the claim that this is just as good as using AES unless we can find an attack. (“Hey, we got it from a very trusted source--when have they ever done us wrong?”) Instead, I think we can just say “no, we need you to use a NIST standard algorithm for this function.” And the same is true for Chacha, Whirlpool, Snefru, Streebog, Speck, IDEA, Twofish, and any number of other crypto primitives that are probably quite secure, but that aren’t NIST standard algorithms and so we don’t default to trusting them.
The NIST PQC team
Key Gen (cycles) |
Enc (cycles) |
Dec (cycles) |
Public Key (bytes) |
Ciphertext (bytes) |
|
Kyber-768-90s |
27316 |
29476 |
25248 |
1184 |
1088 |
Kyber-768 |
53464 |
74040 |
63916 |
1184 |
1088 |
On 30. Jul 2020, at 18:14, 'David A. Cooper' via pqc-forum <pqc-...@list.nist.gov> wrote:
There seems to be a concern in this thread that submitters may feel pressured to use primitives such as AES and SHA-2 in their parameter sets even they would prefer to use other NIST-approved primitives, such as SHAKE. A scheme that uses primitives such as AES that can take advantage of current hardware will be faster than one that uses SHAKE, and there seems to be a concern that NIST will simply select the scheme that advertises that fastest performance. While the difference in computational performance between a parameter set that uses AES and SHA-2 compared to one that uses Keccak is useful input, it seems very unlikely that this difference will have any impact on the final decision of which KEM to standardize.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/82b468d8-6e0f-9384-02bd-250146a94dff%40nist.gov.
Enc (cycles) |
Dec (cycles) |
Public key
(bytes) |
Ciphertext
(bytes) |
Overall cost |
|
Kyber-768-90s |
695,432 |
708,683 |
1184 |
1088 |
2,226,816 |
Kyber-768 |
1,047,720 |
985,976 |
1184 |
1088 |
1,597,235 |
Saber |
1,616,000 |
1,759,000 |
992 |
1088 |
3,551,800 |
Hi,
As it is now clear that NIST is recommending CRYSTALS-Kyber and CRYSTALS–Dilithium as the primary algorithms it might be good to revive this thread.
The current CRYSTALS specifications use the following algorithms:
Kyber: SHAKE128, SHAKE256, SHA2-256, SHA3-512
Kyber 90s: AES-256, SHA-256, SHA-512, SHAKE256
Dilithium: SHAKE256, SHAKE128
Dilithium 90s: SHAKE256, AES-256
Kyber 90s looks very messy with four different primitives and will likely lead to more implementations with side-channel vulnerabilities. I would strongly prefer if NIST only standardized CRYSTALS with Keccak. That would hasten general support for hardware acceleration of Keccak. The best would have been if NIST said clearly 5 years ago that PQC will only use Keccak. That many CPUs today have acceleration of SHA-1 but not SHA-3 is just tragic and should not be rewarded.
The only reason to standardize the 90s versions would be short-term speed improvements before Keccak hardware acceleration is generally available. I am not sure that extra speed is necessary. Kyber and Dilithium already have very good performance and the performance will improve when Keccak hardware acceleration is generally available. Specifying 90s versions would delay general availability of Keccak hardware acceleration and reward vendors that are stuck in the 90s.
I also strongly think NIST should go ahead and specify the AEAD mode of Keccak that we were promised. For vendors wanting crypto-agility and NIST compliance, the lack of an NIST approved Keccak-based AEAD mode is problematic. A lot of constrained hardware and software implementations would like to implement a single NIST approved cryptographic primitive and use that for CCA-encryption, CPA-encryption, variable-length hash, variable-length MAC, KDF, etc. Currently that is not possible.
Cheers,
John Prueß Mattsson