@yrschrade @Arcium Cool! You might want to consider using TurboSHAKE instead of SHA-3. Same round function, but only 12 of them instead of 24. rfc-editor.org/rfc/rfc9861
English
Gilles Van Assche
40 posts
Gilles Van Assche
@docgcrypto
Enthusiastic member of @KeccakTeam — cryptographer at ST — professor at Université Libre de Bruxelles ad interim
Brussels, Belgium Katılım Mayıs 2019
255 Takip Edilen198 Takipçiler
Today we've released v0.4.0 of @Arcium:
- Full support for <encrypted> Ed25519 keygen and sig verification
- SHA-3 hashing in <encrypted> instructions
- Arcium Profiler
- Anchor v0.32.1 compatibility
- Auto-sync keys
- Many performance optimizations
mpc/acc☂️
Arcium ☂️@Arcium
We’re excited to announce the Arcium v0.4.0 release. This update brings new features, performance optimizations, and developer experience improvements. We encourage all developers to migrate to v0.4.0 and leverage these updates for more efficient development on Arcium. Details below.
English
@jedisct1 You are free to define anything you want, but personally I prefer and recommend to stick to 12 rounds.
English
Would you despise me for all eternity if I dared to go with 10 rounds of Keccak-p, @docgcrypto?
English
@jedisct1 @KeccakTeam Nice! "Parallel" means "using threads", right?
English
KangarooTwelve (RFC9861) benchmark of the pure Zig implementation. Not bad for large inputs. github.com/jedisct1/zig-k… /cc @KeccakTeam #ziglang
English
Gilles Van Assche retweetledi
RFC 9861: TurboSHAKE and KangarooTwelve, the fast alternatives to SHA-3 and SHAKE
keccak.team/2025/rfc9861.h…
English
@cronokirby It is not usual that you can halve the number of rounds of a standard primitive and still get comfortable safety margin. 😀
English
The Too Much Crypto thesis continues to be vindicated
IACR@IACR_News
#ePrint TurboSHAKE: G Bertoni, J Daemen, S Hoffert, M Peeters, G Van Assche, R Van Keer, B Viguier ia.cr/2023/342
English
@mjos_crypto Then how to improve XKCP? Feel free to review/give suggestions here: github.com/XKCP/XKCP/disc…
English
Basically, XKCP is too complicated for its own good. FIPS 202 SHA3/SHAKE specs are not the easiest to translate to correct code, but the "official" Keccak implementation is just incredibly big/cumbersome.
(This was CVE-2022-37454 -- fixed in fall '22.)
eprint.iacr.org/2023/331
English
Gilles Van Assche retweetledi
Interested in permutation-based crypto? Be sure to submit your abstract or paper before February 28! Call for papers: permutationbasedcrypto.org/2023/files/PBC…
English
Gilles Van Assche retweetledi
The future of symmetric cryptography: modes built on deck functions instead of block ciphers! keccak.team/2022/refactori…
English
Gilles Van Assche retweetledi
Gilles Van Assche retweetledi
Gilles Van Assche retweetledi
Xoodoo is too cool to fall for linear and differential cryptanalysis! New trail bounds for Xoodoo, a bug fix, and confirmations by an independent team of researchers. keccak.team/2021/updated_b…
English
@RichFelker It is not obvious indeed, but hopefully documented, see, e.g., keccak.team/files/Keccak10… (2012). The 32-bit implementations in the XKCP are all bit-interleaved.
English
@docgcrypto Oh? That's nonobvious to me aside from the lack of adds.
English
I am irrationally overly angry that SHA3 followed the "let's gratuitously work with 64-bit words and lock out efficient tiny-embedded implementations" bandwagon when the underlying construct would have supported 32-bit with no loss.
English
@_rvklein_ @oconnor663 Thanks for mentioning K12! Indeed, some clarifications about the performance of Keccak/SHA-3 may be worth reading: keccak.team/2017/is_sha3_s…
English
@oconnor663 Thank you very much! I actually had not heard of that at all until you had mentioned it here. [Or I missed it which happens.]
I was hoping there would be more work on/with this sort of sponge function construction coming up and it seems as though that is also happening as well.
English
Announcing BLAKE3! My last 1.5 years of work :)
* Faster than MD5, SHA-1, SHA-2, SHA-3, and BLAKE2
* Merkle tree: unlimited parallelism, verified streaming
* Builtin MAC, KDF, XOF
* One algorithm, no variants
* Rust crate: crates.io/crates/blake3
Try it: cargo install b3sum
English
@jedisct1 @tylrtrmbl More the second option, unless the nonce is too long of course.
English
@docgcrypto @tylrtrmbl If an API supports non-empty key IDs, would you recommend falling back to a dedicated ABSORB for the nonce? Or use something like len(key_id)||key_id||nonce for the initialization?
English
@xorhash @oconnor663 "Double invocation": actually the cost only amounts to an extra block to absorb the key. Also, HopMAC has interesting properties w.r.t. side-channel attacks.
English
@oconnor663 As far as I know, BLAKE3 has a trivial native MAC mode though and HopMAC for K12 specified in draft-irtf-cfrg-kangarootwelve-04 needs double invocation of K12. I'm not aware of there being an officially condoned, performant alternative to HopMAC.
English
The world of hash functions is annoying af: SHA-3 is standardized, but Argon2 uses BLAKE2, but there is BLAKE3, but Ed25519 uses SHA-2, but...
English
@jedisct1 @tylrtrmbl Note that it is not a tweak on Xoodyak, only on what we put behind the NIST API. The algorithm is given in Section 5 of the update document here: csrc.nist.gov/CSRC/media/Pro…
English
@docgcrypto @tylrtrmbl While you’re here :) Could you clarify how you are planning to integrate the nonce with the key ID in Xoodyak? Has that tweak been documented somewhere?
English
@oconnor663 @cryptodavidw @zooko Is efficiency the only relevant metric in symmetric crypto? :-) Anyway, efficiency goes beyond plain software speed and includes things less directly measurable, e.g., energy on dedicated circuits, protections against side-channel attacks.
English
@cryptodavidw @zooko The best comparison I know of is our graphs in the BLAKE3 paper. K12 and B3 have very similar peak throughput on x86. Currently the official implementation of B3 leads by a bit. B3's advantage is larger for short inputs, and on 32-bit systems.
English
@bascule @cryptodavidw "Garbage" is a strong word, but clearly I agree with you that the SHAKEs are the better instances of FIPS202. Hopefully now the idea of disentangling output sizes and security strength levels makes its way. Hence new projects should consider using XOFs instead of fixed hashes.
English
@jedisct1 @tylrtrmbl What are the properties you have in mind? Sure they share the same 12×32 bits structure, but as far as diffusion is concerned, Xoodoo and Gimli take different approaches.
English
@tylrtrmbl I also use Xoodoo for other projects. Both are great, they have similar properties, and can be used the same way. Both are in round 2 of the LWC competition. I like the well-defined Cyclist mode that Xoodoo can be used with, though.
English