So looking forward to buying a copy of this! As a writer with a bit of an atrophied crypto background, going through the online text, being able to start with why we need a hash function does a lot to tease out what they are and how they work. Leading with how we need to be able to prove some data has not been altered or tampered with, because reasons - may seem trite, but when we get deeper into how you do that, being able to link it back to that reason helps the reader develop and ontology of the concepts.
I like your diagrams (I used sequence diagrams as a way to visualize BAN logic for protocols in my own stuff), and they will really elevate the discussion.
Why use an HMAC instead of a KMAC? Why would anyone want to derive a key? When does it matter whether you use an integer or Galois field counter? Why bother calling it a GF when it's just binary anyway? Why would I chose a protocol that used a symmetric cipher over an asymmetric one? When I was working on (and breaking) tokenization protocols, the discussions I was in started with getting developer agreement on why we needed to use a given primitive, and then asking how/whether each implementation decision supported that need. It's the old "start with why" method of explaining.
Ordinarily I wouldn't be so free with opinions on someones work, but systems designed to frustrate humans ability to comprehend them, shockingly, are among the most difficult subjects to write about. So looking forward to a copy, as admittedly I still find some more modern concepts a bit mystifying.
No need to wait. You can buy the book right now, as it’s being published in Manning’s Early Access Program. You get it in epub, mobi and pdf formats, with updates as new chapters are written. And the hard copy when it’s done, if you signed up for it. (I settled for just the ebook myself, as I have been drowning in physical books for years now.)
First, SHA-3 (and thus KMAC) isn't particularly performant without hardware acceleration, and hardware acceleration (ASICs/special CPU instructions) isn't really available yet. So if you're not on an FPGA, KMAC will be slow.
Second, SHA-3 isn't available as a builtin in most libraries, so it requires another import.
Third, Blake2/Blake3 are faster in software and support similar MAC modes. So until hardware comes out with SHA-3 intrinsics that's a nicer alternative to HMAC.
> Why would anyone want to derive a key?
Lots of reasons!
You might need to derive a fixed-size key from a passphrase. This requires a password-based KDF, like Argon2 or scrypt.
You might need to derive a key from a field element like the result of a Diffie-Hellman exchange. The raw result isn't generally suitable for use as a key, since it's not likely the right size and might be biased.
You might need to derive a sequence of keys from an initial value, say to provide forward secrecy like Signal's double ratchet algorithm.
> When does it matter whether you use an integer or Galois field counter? Why bother calling it a GF when it's just binary anyway?
These two questions are related. Fields are used because they satisfy certain mathematical properties that the integers don't. Galois fields are used because they don't require floating-point or rational values, everything within them is an integer (of some special representation). We call it a GF element instead of an integer because it's not just binary any more than a .jpg image is just binary. It's representing something specific, and the usual arithmetic operations are implemented differently for elements of a field than they are in general. Many systems store the (binary) coefficients of rather high degree polynomials in the bits of an integer, and then add & multiply polynomials. The results will be different than if you added or multiplied the relevant integers, the operations share a name but are not identical. Others use things like elliptic curve points (with an X & Y coordinate), which clearly aren't integers even if both coordinates are.
> Why would I chose a protocol that used a symmetric cipher over an asymmetric one?
Symmetric ciphers are much, much faster.
Symmetric keys are much smaller.
Symmetric ciphers tend to be far easier to implement safely, and far more resistant to cryptanalitic attack. They're generally just safer.
Mostly agree! If I were explaining these concepts to someone, I would lead with your answers, setting them up as problems where the thing I wanted to explain was the solution.
e.g. We need to prove to a counterparty that some data has not been tampered with, we're limited to the processing power of the IC on a smart card, and the whole protocol can't take more than a couple of seconds including network latency. Do we just self-assert the integrity of the message using an HMAC, or do we need to prove the data hasn't been replayed or injected? In the latter case, we might need an additional key/secret to verify that transaction integrity as well, implying KMAC.
The part about counters gets weird, because it's unclear (to me) in some implementations whether the GF counter is supposed to act as an additional secret/diversification component with enough entropy to be a secret, implying that the function that generates it is also a cryptographic function, with a seed, which becomes in effect just another key to manage.
Of course this could be a misunderstanding on my part as well, and without a BAN protocol diagram, it's hard to reason about. Some of the stuff I worked on, the designers basically kept nesting key management problems until people stopped listening. I've posted this a few times I think, but I share it with everyone, as it's a great reference for how these things are designed. http://www.lsv.fr/Software/spore/index.html
I like your diagrams (I used sequence diagrams as a way to visualize BAN logic for protocols in my own stuff), and they will really elevate the discussion.
Why use an HMAC instead of a KMAC? Why would anyone want to derive a key? When does it matter whether you use an integer or Galois field counter? Why bother calling it a GF when it's just binary anyway? Why would I chose a protocol that used a symmetric cipher over an asymmetric one? When I was working on (and breaking) tokenization protocols, the discussions I was in started with getting developer agreement on why we needed to use a given primitive, and then asking how/whether each implementation decision supported that need. It's the old "start with why" method of explaining.
Ordinarily I wouldn't be so free with opinions on someones work, but systems designed to frustrate humans ability to comprehend them, shockingly, are among the most difficult subjects to write about. So looking forward to a copy, as admittedly I still find some more modern concepts a bit mystifying.