From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Paul Crowley <paulcrowley@google.com>
Cc: ebiggers@kernel.org, linux-crypto@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Greg Kaiser <gkaiser@google.com>,
Michael Halcrow <mhalcrow@google.com>,
samuel.c.p.neves@gmail.com, tomer.ashur@esat.kuleuven.be,
Eric Biggers <ebiggers@google.com>,
djb@cr.yp.to
Subject: Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds
Date: Mon, 6 Aug 2018 20:15:43 -0400 [thread overview]
Message-ID: <CAHmME9o6XQ+16d4b8+BiQViSiOOApi-J_ML2UOOBpTN8hV3iVA@mail.gmail.com> (raw)
In-Reply-To: <CA+_SqcD+KpQ_X6iXUCpQh0N6pWzBorstBJDx7eBqcybY4Dvy8Q@mail.gmail.com>
Hi Paul,
On 8/6/18, Paul Crowley <paulcrowley@google.com> wrote:
> Salsa20 was one of the earlier ARX proposals, and set a very
> conservative number of rounds as befits our state of knowledge at the
> time. Since then we've learned a lot more about cryptanalysis of such
> offerings, and I think we can be comfortable with fewer rounds. The
> best attack on ChaCha breaks 7 rounds, and that attack requires 2^248
> operations. Every round of ChaCha makes attacks vastly harder.
I'm well aware of that, which is why I mentioned that ChaCha12
_probably_ has an adequate security. My primary concerns are a bit
different actually from where you're going - that it breaks from
what's becoming a pretty widely accepted "norm" and, more importantly,
that it increases implementation complexity. These aren't really
drastic concerns, but I am in earnest wondering the type of hardware
analysis you did to determine that you really do need the 12-speedup.
What's the practical landscape out there look like? What disk speeds
were too low for which specific kind of Android usage on which
particular hardware? Did you hit the bottlenecks when paging for code
or when filling up caches when writing asynchronously? And for how
much longer do you foresee underpowered hardware like that being a not
insignificant part of the market? I'm especially curious to know
because ostensibly at Google you have all sorts metrics regarding that
kind of thing.
Jason
next prev parent reply other threads:[~2018-08-07 0:15 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-06 22:32 [RFC PATCH 0/9] crypto: HPolyC support Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 1/9] crypto: chacha20-generic - add HChaCha20 library function Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 2/9] crypto: chacha20-generic - add XChaCha20 support Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds Eric Biggers
2018-08-06 23:16 ` Jason A. Donenfeld
2018-08-06 23:48 ` Paul Crowley
2018-08-07 0:15 ` Jason A. Donenfeld [this message]
2018-08-07 1:06 ` Paul Crowley
2018-08-07 10:21 ` Samuel Neves
2018-08-07 21:51 ` Eric Biggers
2018-08-08 0:15 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 4/9] crypto: chacha - add XChaCha12 support Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 5/9] crypto: arm/chacha20 - add XChaCha20 support Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 6/9] crypto: arm/chacha20 - refactor to allow varying number of rounds Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 7/9] crypto: arm/chacha - add XChaCha12 support Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 8/9] crypto: arm/poly1305 - add NEON accelerated Poly1305 implementation Eric Biggers
2018-08-07 12:09 ` Ard Biesheuvel
2018-08-07 23:19 ` Eric Biggers
2018-08-22 10:00 ` Ard Biesheuvel
2018-08-06 22:33 ` [RFC PATCH 9/9] crypto: hpolyc - add support for the HPolyC encryption mode Eric Biggers
2018-08-06 23:04 ` [PATCH] crypto: remove speck Jason A. Donenfeld
2018-08-07 1:03 ` Jeffrey Walton
2018-08-07 20:18 ` Eric Biggers
2018-08-07 1:19 ` Eric Biggers
2018-08-07 2:38 ` Jason A. Donenfeld
2018-08-07 3:12 ` Eric Biggers
2018-08-07 3:15 ` Theodore Y. Ts'o
2018-08-07 12:51 ` Ard Biesheuvel
2018-08-07 6:22 ` [PATCH v2] crypto: remove Speck Jason A. Donenfeld
2018-08-07 6:57 ` Ard Biesheuvel
2018-09-04 4:55 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9o6XQ+16d4b8+BiQViSiOOApi-J_ML2UOOBpTN8hV3iVA@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=djb@cr.yp.to \
--cc=ebiggers@google.com \
--cc=ebiggers@kernel.org \
--cc=gkaiser@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=paulcrowley@google.com \
--cc=samuel.c.p.neves@gmail.com \
--cc=tomer.ashur@esat.kuleuven.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).