From: Stephan Mueller <smueller@chronox.de>
To: Sandy Harris <sandyinchina@gmail.com>
Cc: Stephan Mueller <stephan.mueller@atsec.com>,
linux-crypto@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>
Subject: Re: AES-NI: slower than aes-generic?
Date: Thu, 26 May 2016 20:49:39 +0200 [thread overview]
Message-ID: <4972668.UQ1QRNriDb@positron.chronox.de> (raw)
In-Reply-To: <CACXcFmnFn_BDv_xLra-gfSTsOP-diTwtvU4_TndLAv+WuXG4DQ@mail.gmail.com>
Am Donnerstag, 26. Mai 2016, 14:20:19 schrieb Sandy Harris:
Hi Sandy,
>
> Why are you using AES? Granted, it is a reasonable idea, but when Ted
> replaced the non-blocking pool with a DBRG, he used a different cipher
> (I think chacha, not certain) and I think chose not to use the crypto
> library implementation to avoid kernel bloat.
>
> So he has adopted on of your better ideas. Why not follow his
> lead on how to implement it?
Using the kernel crypto API one can relieve the CPU of the crypto work, if a
hardware or assembler implementation is available. This may be of particular
interest for smaller systems. So, for smaller systems (where kernel bloat is
bad, but where now these days more and more hardware crypto support is added),
we must weigh the kernel bloat (of 3 or 4 additional C files for the basic
kernel crypto API logic) against relieving the CPU of work.
Then, the use of the DRBG offers users to choose between a Hash/HMAC and CTR
implementation to suit their needs. The DRBG code is agnostic of the
underlying cipher. So, you could even use Blowfish instead of AES or whirlpool
instead of SHA -- these changes are just one entry in drbg_cores[] away
without any code change.
Finally, the LRNG code is completely agnostic of the underlying deterministic
RNG. You only need a replacement of two small functions to invoke the seeding
and generate operation of a DRNG. So, if one wants a Chacha20, he can have it.
If one wants X9.31, he can have it. See section 2.8.3 [1] -- note, that DRNG
does not even need to be a kernel crypto API registered implementation.
Bottom line, I want to give folks a full flexibility. That said, the LRNG code
is more of a logic to collect entropy and maintain two DRNG types which are
seeded according to a defined schedule than it is a tightly integrated RNG.
Also, I am not so sure that simply taking a cipher, sprinkling some
backtracking logic on it implies you have a good DRNG. As of now, I have not
seen assessments from others for the Chacha20 DRNG approach. I personally
would think that the Chacha20 approach from Ted is good. Yet others may have a
more conservative approach of using a DRNG implementation that has been
reviewed by a lot of folks.
[1] http://www.chronox.de/lrng/doc/lrng.pdf
Ciao
Stephan
next prev parent reply other threads:[~2016-05-26 18:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-26 16:10 AES-NI: slower than aes-generic? Stephan Mueller
2016-05-26 17:25 ` Jeffrey Walton
2016-05-26 17:30 ` Stephan Mueller
2016-05-26 18:14 ` Stephan Mueller
2016-05-26 18:20 ` Sandy Harris
2016-05-26 18:49 ` Stephan Mueller [this message]
2016-05-26 19:15 ` Sandy Harris
2016-05-27 2:14 ` Theodore Ts'o
2016-05-27 7:08 ` Stephan Mueller
2016-05-27 20:40 ` Jeffrey Walton
2016-06-08 12:21 ` Stephan Mueller
2016-05-28 0:28 ` Aaron Zauner
2016-05-29 19:51 ` Stephan Mueller
2016-05-30 4:08 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4972668.UQ1QRNriDb@positron.chronox.de \
--to=smueller@chronox.de \
--cc=linux-crypto@vger.kernel.org \
--cc=sandyinchina@gmail.com \
--cc=stephan.mueller@atsec.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox