On 1/24/20 1:41 PM, Michael Richardson wrote:
Robert Moskowitz <[email protected]> wrote:
> I would actually like to make a presentation at SAAG about KMAC as a KDF
and
> why the IETF should incorporate it.
> SP 800-185 was published back in Dec 2016. This clearly shows how to use
> KMAC as a replacement for HMAC. Many in the security community
'rejected'
> SHA3 as only marginally faster than SHA256. They missed that thus KMAC
is 2x
> as fast as HMAC-SHA256!
I guess you saying that KMAC does not require two passes of the underlying
hash when used with SHA3? Or is it in general?
KMAC **IS** SHA3.
Or rather both are based on the same Keccak function.
First look at FIPS 202, sec 6.2, for how SHAKE is constructed compared
to SHA3.
Then 800-185 and how cSHAKE and KMAC are functions built on SHAKE.
So in terms of computational costs KMAC and SHA3 are very close. It is
really a more a question of how the bit stream is fed into the sponge
and then how bits are squeezed out of the sponge.
And that is why not needing two distinct passes.
The sponge is inherently two passes. First the sponge absorbs your bit
stream, then squeeze out bits as you need them. See figure 7 in FIPS
202 on this.
Perhaps the difference between HKDF and KMAC as a KDF is how other info
is fed into the process. In HKDF, there is other info in each step of
the process. In KMAC all bits are absorbed before any squeezing. And
you squeeze out all you want before using it.
See fig 1 in Sec 5 of 800-56Cr1 and compare it to the above fig 7.
Hope this helps.
Bob
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
