* or should block size for xts.c set to 1 instead of AES block size? @ 2021-05-07 6:12 Kestrel seventyfour 2021-05-11 15:48 ` Ard Biesheuvel 0 siblings, 1 reply; 5+ messages in thread From: Kestrel seventyfour @ 2021-05-07 6:12 UTC (permalink / raw) To: linux-crypto Hi, one more thought, shouldn't the block size for generic xts set to 1 in order to reflect that any input size length is allowed to the algorithm? Thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: or should block size for xts.c set to 1 instead of AES block size? 2021-05-07 6:12 or should block size for xts.c set to 1 instead of AES block size? Kestrel seventyfour @ 2021-05-11 15:48 ` Ard Biesheuvel 2021-05-11 18:01 ` Mike Brooks 0 siblings, 1 reply; 5+ messages in thread From: Ard Biesheuvel @ 2021-05-11 15:48 UTC (permalink / raw) To: Kestrel seventyfour, Herbert Xu, Eric Biggers; +Cc: Linux Crypto Mailing List On Fri, 7 May 2021 at 08:12, Kestrel seventyfour <kestrelseventyfour@gmail.com> wrote: > > Hi, > > one more thought, shouldn't the block size for generic xts set to 1 in > order to reflect that any input size length is allowed to the > algorithm? > I think this was discussed at some point on the list, and Herbert seemed to suggest that 1 was a better choice than AES_BLOCK_SIZE. You'd have to set the chunksize, though, to ensure that the input is presented in the right granularity, i.e., to ensure that the skcipher walk layer never presents less than chunksize bytes unless it is the end of the input. However, this is a flag day change, so you'd need to update all implementations at the same time. Otherwise, the extended tests (which compare accelerated implementations with xts(ecb(aes-generic))) will start failing on the cra_blocksize mismatch. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: or should block size for xts.c set to 1 instead of AES block size? 2021-05-11 15:48 ` Ard Biesheuvel @ 2021-05-11 18:01 ` Mike Brooks 2021-05-11 19:31 ` Eric Biggers 0 siblings, 1 reply; 5+ messages in thread From: Mike Brooks @ 2021-05-11 18:01 UTC (permalink / raw) To: Ard Biesheuvel Cc: Kestrel seventyfour, Herbert Xu, Eric Biggers, Linux Crypto Mailing List xst(ecb()) can only produce a minimum of AES_BLOCK_SIZE of data - sending in a smaller dataset will still return AES_BLOCK_SIZE of data. If you try and pass in lets say 4 bytes - and then you truncate the response to 4 bytes you'll lose data. Moving to a smaller size is asking for trouble. IMHO. -Michael Brooks On Tue, May 11, 2021 at 8:48 AM Ard Biesheuvel <ardb@kernel.org> wrote: > > On Fri, 7 May 2021 at 08:12, Kestrel seventyfour > <kestrelseventyfour@gmail.com> wrote: > > > > Hi, > > > > one more thought, shouldn't the block size for generic xts set to 1 in > > order to reflect that any input size length is allowed to the > > algorithm? > > > > I think this was discussed at some point on the list, and Herbert > seemed to suggest that 1 was a better choice than AES_BLOCK_SIZE. > You'd have to set the chunksize, though, to ensure that the input is > presented in the right granularity, i.e., to ensure that the skcipher > walk layer never presents less than chunksize bytes unless it is the > end of the input. > > However, this is a flag day change, so you'd need to update all > implementations at the same time. Otherwise, the extended tests (which > compare accelerated implementations with xts(ecb(aes-generic))) will > start failing on the cra_blocksize mismatch. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: or should block size for xts.c set to 1 instead of AES block size? 2021-05-11 18:01 ` Mike Brooks @ 2021-05-11 19:31 ` Eric Biggers 2021-05-14 8:05 ` Herbert Xu 0 siblings, 1 reply; 5+ messages in thread From: Eric Biggers @ 2021-05-11 19:31 UTC (permalink / raw) To: Mike Brooks Cc: Ard Biesheuvel, Kestrel seventyfour, Herbert Xu, Linux Crypto Mailing List On Tue, May 11, 2021 at 11:01:11AM -0700, Mike Brooks wrote: > xst(ecb()) can only produce a minimum of AES_BLOCK_SIZE of data - > sending in a smaller dataset will still return AES_BLOCK_SIZE of data. > If you try and pass in lets say 4 bytes - and then you truncate the > response to 4 bytes you'll lose data. > > Moving to a smaller size is asking for trouble. IMHO. > > -Michael Brooks > > On Tue, May 11, 2021 at 8:48 AM Ard Biesheuvel <ardb@kernel.org> wrote: > > > > On Fri, 7 May 2021 at 08:12, Kestrel seventyfour > > <kestrelseventyfour@gmail.com> wrote: > > > > > > Hi, > > > > > > one more thought, shouldn't the block size for generic xts set to 1 in > > > order to reflect that any input size length is allowed to the > > > algorithm? > > > > > > > I think this was discussed at some point on the list, and Herbert > > seemed to suggest that 1 was a better choice than AES_BLOCK_SIZE. > > You'd have to set the chunksize, though, to ensure that the input is > > presented in the right granularity, i.e., to ensure that the skcipher > > walk layer never presents less than chunksize bytes unless it is the > > end of the input. > > > > However, this is a flag day change, so you'd need to update all > > implementations at the same time. Otherwise, the extended tests (which > > compare accelerated implementations with xts(ecb(aes-generic))) will > > start failing on the cra_blocksize mismatch. Well, the problem is that it isn't well defined what the cra_blocksize property actually means. Depending on the algorithm, it can mean either the minimum input size, the required alignment of the input size, the exact input size that is required (in the case of block ciphers), or the input size that is required by the algorithm's internal compression function (in the case of hashes). "xts" follows the convention of cra_blocksize meaning the "minimum input size", as do "cts" and "adiantum" which have the same constraints on input sizes as "xts". So I'm not sure that changing cra_blocksize for xts to 1 would accomplish anything useful, other than confuse things further. - Eric ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: or should block size for xts.c set to 1 instead of AES block size? 2021-05-11 19:31 ` Eric Biggers @ 2021-05-14 8:05 ` Herbert Xu 0 siblings, 0 replies; 5+ messages in thread From: Herbert Xu @ 2021-05-14 8:05 UTC (permalink / raw) To: Eric Biggers Cc: Mike Brooks, Ard Biesheuvel, Kestrel seventyfour, Linux Crypto Mailing List On Tue, May 11, 2021 at 12:31:17PM -0700, Eric Biggers wrote: > > Well, the problem is that it isn't well defined what the cra_blocksize property > actually means. Depending on the algorithm, it can mean either the minimum > input size, the required alignment of the input size, the exact input size that > is required (in the case of block ciphers), or the input size that is required > by the algorithm's internal compression function (in the case of hashes). > > "xts" follows the convention of cra_blocksize meaning the "minimum input size", > as do "cts" and "adiantum" which have the same constraints on input sizes as > "xts". > > So I'm not sure that changing cra_blocksize for xts to 1 would accomplish > anything useful, other than confuse things further. At this point we can't change the blocksize of cts/xts to 1 without breaking af_alg because it needs to treat them differently than it would for a stream cipher like ctr. But to properly support af_alg on cts/xts we do need to do this. I have a patch-set that adds the final chunk size to do exactly that but I haven't had the time to finish it. Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-05-14 8:06 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-05-07 6:12 or should block size for xts.c set to 1 instead of AES block size? Kestrel seventyfour 2021-05-11 15:48 ` Ard Biesheuvel 2021-05-11 18:01 ` Mike Brooks 2021-05-11 19:31 ` Eric Biggers 2021-05-14 8:05 ` Herbert Xu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).