From: Eric Biggers <ebiggers@kernel.org>
To: Aaron Toponce <aaron.toponce@gmail.com>
Cc: Theodore Ts'o <tytso@mit.edu>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH] random: add chacha8_block and swtich the rng to it
Date: Mon, 29 Apr 2024 20:11:05 -0700 [thread overview]
Message-ID: <20240430031105.GA10165@sol.localdomain> (raw)
In-Reply-To: <20240429134942.2873253-1-aaron.toponce@gmail.com>
On Mon, Apr 29, 2024 at 07:48:49AM -0600, Aaron Toponce wrote:
> According to Jean-Philippe Aumasson in his paper "Too Much Crypto" [1]:
>
> > "The best result on ChaCha is a key recovery attack on the 7-round version
> > with 2^237.7 time complexity using output data from 2^96 instances of ChaCha,
> > that is, 2^105 bytes of data."
>
> He then proposes that ChaCha use 8 rounds instead of 20, providing a 2.5x
> speed-up. As such, this patch adds chacha8_block and chacha12_block and switches
> the RNG from ChaCha20 to ChaCha8 to take advantage of that efficiency without
> sacrificing security.
>
I don't think there is consensus on ChaCha8 being recommended. Adiantum uses
ChaCha12, but even that received some pushback.
The Linux RNG is also usually used only for small amounts of data, and its
security (and the perception of its security) is extremely important.
So just staying with ChaCha20 seems appropriate.
Note also that currently the Linux RNG is using a portable C implementation of
ChaCha20. If there is actually a desire to accelerate large reads (which again,
aren't the main use case of the Linux RNG), it would be possible to use a SIMD
implementation of ChaCha20, which already exists in the kernel. That would
speed up ChaCha20 by roughly 2-5x depending on the CPU.
- Eric
next prev parent reply other threads:[~2024-04-30 3:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-29 13:48 [PATCH] random: add chacha8_block and swtich the rng to it Aaron Toponce
2024-04-30 3:11 ` Eric Biggers [this message]
2024-04-30 4:41 ` Aaron Toponce
2024-04-30 16:26 ` Theodore Ts'o
2024-04-30 16:44 ` Aaron Toponce
2024-05-01 2:22 ` Theodore Ts'o
2024-05-01 12:38 ` Jean-Philippe Aumasson
2024-05-01 14:02 ` Aaron Toponce
2024-05-01 12:21 ` Jason A. Donenfeld
2024-05-02 13:41 ` Aaron Toponce
2024-05-08 7:41 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240430031105.GA10165@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=aaron.toponce@gmail.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox