Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4124697imm; Mon, 6 Aug 2018 17:34:36 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdlQRIZV66duvVfErVbrraUwF66+Cej72UTS9lTk3xapXlfcNglCmiBri7iKT1Gz9Pi4eU9 X-Received: by 2002:a63:b605:: with SMTP id j5-v6mr16660486pgf.437.1533602076356; Mon, 06 Aug 2018 17:34:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533602076; cv=none; d=google.com; s=arc-20160816; b=dTuAtVRoXtVuKmL/bo6UjI/E2aef3PJRIDrB82fBr0sh09EAIVNNdM0UC1tlvXpQaA y9LANstkTjYF5m8zU8yeCEW53b34egT1FXSAYRI2Wqq2Z19is6o0XWD0X+kBnyfUe8ds UktZAzjRIlmHXzp9vQ3RhCpSm8CI9lTcku+N45YiTcbXOb50gLO7nRPR4Qb/ZPfU3m2y WpjI/PvaJF/o1rcJJgtMK+rhmxXtYGv3TVs3BeZlvNDyRTINmDLB7/JJ3zsg8ZRqJS2B HP8KyYCJxBuNVE+ybbBXGQ6ocAgehLPG2r3Yir7onv2qOIIuSikpBXF2C7elupzrNMct ZH3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=3+sDBkjkWXu+XZLu1cTXcZEaz7pJZ5RlarBvfLbtq5M=; b=maVwyqL0sPmEEDA5MowYb/KMUhh3i3uehzeIXTWTr+FYOucwhu9fU8M91UiB0NoLLt JGlaJinIyPtGk08R9hRkp+mwK4VsCoIicdr1prNOWDU4rbTlumVzNCqvR24I+L3rWQM6 8Cg5hYWtCBsstoRb76LHpD97OmLXpj9vhX7HhqyyNsR/tAfDToIUOUgVmTv4YuPSOxPF AtbDFRAkfYLeq+A5m+HMzd5ikEt5x3HHqRuCmaBzmrLj8IPGMHs8OgPWw4Am0I4PgT93 Vosn4kIsXNBW1JCQyysufBPHhthU+k5l3uLOef/NU/9iBlfr09ymnr2tIeuoBWoT9Vex w7cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b="Jmj/IzHY"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q11-v6si13306429pli.86.2018.08.06.17.34.07; Mon, 06 Aug 2018 17:34:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b="Jmj/IzHY"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733279AbeHGC1X (ORCPT + 99 others); Mon, 6 Aug 2018 22:27:23 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:45557 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730724AbeHGC1W (ORCPT ); Mon, 6 Aug 2018 22:27:22 -0400 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id c93d7750; Tue, 7 Aug 2018 00:03:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=mail; bh=HvV/wEjw7xfAAG8g2r0V9uXpqEk=; b=Jmj/Iz HYGA6Q7VhsrXe4k6k2CjfUD7coD5HHdC777zT0LntA5i+vn9hG6fh3zDJosAG1hT HmxzBMEIAXZed0XwcdUWe/iEKerV7lFsdtxKxAe8MIf9KVjw4+yCxmX8k7Ij30wr bRA6k6sEZ2XJDcQ9EEVaG0dEHrfAlw71g6bH9Hjr+KKPomREHjUWLebn0kHvjVzn GxRjfZaiVsfSojUe3V/Tw5CBN5noRz5PVhK+OBclK7uh3SXpUZCIYlFXSIrSiBe5 kg0lV5rxpL1+IZUJ+c9EbCIol0XgoWOzBn+hQlemFOTujXokxxXJYSBmMj7edzCW hhsE3s/PakCbLLjw== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 575bf09f (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO); Tue, 7 Aug 2018 00:03:37 +0000 (UTC) Received: by mail-oi0-f47.google.com with SMTP id 8-v6so25492768oip.0; Mon, 06 Aug 2018 17:15:46 -0700 (PDT) X-Gm-Message-State: AOUpUlHoDbaXqyafnZ4nKPC21aVjuxUFC+rD5IVN1dcSsOa5Sis4qUWc F221YyIgMfhJIonlblGGF9nOCCAZZ9KmRLy4Wfo= X-Received: by 2002:aca:f189:: with SMTP id p131-v6mr15994955oih.14.1533600944770; Mon, 06 Aug 2018 17:15:44 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:a025:0:0:0:0:0 with HTTP; Mon, 6 Aug 2018 17:15:43 -0700 (PDT) In-Reply-To: References: <20180806223300.113891-1-ebiggers@kernel.org> <20180806223300.113891-4-ebiggers@kernel.org> From: "Jason A. Donenfeld" Date: Mon, 6 Aug 2018 20:15:43 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds To: Paul Crowley Cc: ebiggers@kernel.org, linux-crypto@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Herbert Xu , Greg Kaiser , Michael Halcrow , samuel.c.p.neves@gmail.com, tomer.ashur@esat.kuleuven.be, Eric Biggers , djb@cr.yp.to Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Paul, On 8/6/18, Paul Crowley wrote: > Salsa20 was one of the earlier ARX proposals, and set a very > conservative number of rounds as befits our state of knowledge at the > time. Since then we've learned a lot more about cryptanalysis of such > offerings, and I think we can be comfortable with fewer rounds. The > best attack on ChaCha breaks 7 rounds, and that attack requires 2^248 > operations. Every round of ChaCha makes attacks vastly harder. I'm well aware of that, which is why I mentioned that ChaCha12 _probably_ has an adequate security. My primary concerns are a bit different actually from where you're going - that it breaks from what's becoming a pretty widely accepted "norm" and, more importantly, that it increases implementation complexity. These aren't really drastic concerns, but I am in earnest wondering the type of hardware analysis you did to determine that you really do need the 12-speedup. What's the practical landscape out there look like? What disk speeds were too low for which specific kind of Android usage on which particular hardware? Did you hit the bottlenecks when paging for code or when filling up caches when writing asynchronously? And for how much longer do you foresee underpowered hardware like that being a not insignificant part of the market? I'm especially curious to know because ostensibly at Google you have all sorts metrics regarding that kind of thing. Jason