Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

[STDS-802-11-TGBC] Comments on use of Keccek Functions in 11bc and Monday call

To: STDS-802-11-TGBC@xxxxxxxxxxxxxxxxx
Subject: [STDS-802-11-TGBC] Comments on use of Keccek Functions in 11bc and Monday call
From: Robert Moskowitz <rgm@xxxxxxxxxxxxxxxxxxxx>
Date: Sun, 12 Sep 2021 17:44:26 -0400

TGBC participants:

I have not been following work on 11bc, as my attention has been onunmanned aviation over the past year. No need for details of thathere. I was pointed to your use of SHAKE and KMAC only Thursday;September is a "Swiss cheese" month for me with all the Jewish Holidays(I am offline a LOT of days through the end of the month).

I have taken a quick read through sec 12.13.3.3 and have some initialcomments. I should preface this with I have been working with FIPS 202and SP800-185 in specifications for a couple years. I REALLY like theKeccak function...


You have not properly specified the SHAKE function:

SHAKE128(M, d)

where d is the output length in bits.

I would recommend using cSHAKE over SHAKE to add a customization bitstring, e.g.:


cSHAKE128(X, L, "", "802.11bc")

This will produce a separate domain from any other usage that has thesame input. Maybe never needed, "but it doesn't hurt".

I do recommend your use of KMAC. KMAC is a single Keccak call (hash)that works like HMAC but needs 2 underlying hash calls. Thus KMAC hastwice the efficiency over HMAC (assuming SHA-2 to SHAKE being close toequal).


But again your call is deficient:

KMAC128(K, X, L, S)

Please be exact in your specification of use of KMAC. I cannot figureout what you are using for S in your description...


Follow the use of NIST call parameters.

For examples of how I am using cSHAKE, see:

https://datatracker.ietf.org/doc/draft-ietf-drip-rid/

For cSHAKE, KMAC and more see:

https://datatracker.ietf.org/doc/draft-moskowitz-hip-new-crypto/

I can only be on the call Monday until 11:45; I have to leave for adoctor's appointment that got changed.

I can work with you on improving your text in use of SHAKE (or cSHAKE)and KMAC.

As a side note, if you are doing a key derivation function, KMAC can bedirectly used. This is a real improvement over HKDF. Again see mydraft-moskowitz-hip-new-crypto to see how I use it and discussion behindusing KMAC for a kdf.



Robert Moskowitz

________________________________________________________________________
To unsubscribe from the STDS-802-11-TGBC list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBC&A=1

Prev by Date: Re: [STDS-802-11-TGBC] Resolutions uploaded
Next by Date: Re: [STDS-802-11-TGBC] CR document uploaded
Previous by thread: [STDS-802-11-TGBC] CR document uploaded
Next by thread: [STDS-802-11-TGBC] Definition for EBCS DL Content Server
Index(es):
- Date
- Thread