Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4544648imm; Tue, 7 Aug 2018 03:27:21 -0700 (PDT) X-Google-Smtp-Source: AAOMgpc+3UHs34l7Ip0Pu7Zd+j11Juw3JlqkLa1Vu8ntfrelN5hIE5XrEr0FwusjYRl1Tb/7Aaym X-Received: by 2002:a63:ab0c:: with SMTP id p12-v6mr18047707pgf.190.1533637641901; Tue, 07 Aug 2018 03:27:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533637641; cv=none; d=google.com; s=arc-20160816; b=JcZJ/voD59+F9WonpNaAR2Gbacnl7gOociDZaWr0zA+gCOY2eKAXTi84s+0aLlFjMC nn3MYITg4srWbo/aRPZAQbnbz/Mc6oJNM8O/cwvSMO2HyJc1Y6vNJi/0Ud1TMt9BNvpk DaiXn6g3cCqDFSadp4zIp4g5IsT5z8AyrOLKtyKKulc5rTUVuqwlrMKTuuVkyUFPuGSU yi3gASQVJjZErIBEuyJNKTwpkxwNKsRUBKJaXyluxyfKJFI4Mpbt83VmKIQEK0l1Jrf8 fl0cpvZeRqHQhPLJaTN2qIz9ljBovLCT9i6F8Xze8K5QFfmsA81t/8qnyCp6psl8rZqQ 26mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ZlBwScax8RMHM4ilDOiX/xv8fZ++0qOpCdvSJvlWW6s=; b=PjnispVqGVcsdtWJUwHYW3LChcs0z+oS5lAhzN8hI4MMIDNmZx5K26LmcyGbQ33Jb9 dR34YwyoUI02jbKybTrJFrzBSMO05kS3YAWp2oAhrg/6zemROKqxVfCBiXB/U4QeDDlD GqaVv9sO3D96ym234IerITTniw0J2Wjo048Jx2qCEjpV8i465MamQsKKOZQcqnFpmfVp DWUobFimVToU8Y23tIpGlHVE9ARgxZArES94+svscONtKHUtR6Ql1vgv/R9YJQtzQNfd ZwnAgXWTy3zp5m7PGhyPQG9T6bE99+Wuq5ndiFAg/KoVGS5D6PbcePfniyaWVAn/oVTw MbtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=p8SECEjr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m126-v6si1201793pfb.126.2018.08.07.03.27.07; Tue, 07 Aug 2018 03:27:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=p8SECEjr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388702AbeHGMfX (ORCPT + 99 others); Tue, 7 Aug 2018 08:35:23 -0400 Received: from mail-oi0-f41.google.com ([209.85.218.41]:36624 "EHLO mail-oi0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727198AbeHGMfX (ORCPT ); Tue, 7 Aug 2018 08:35:23 -0400 Received: by mail-oi0-f41.google.com with SMTP id n21-v6so27542240oig.3; Tue, 07 Aug 2018 03:21:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZlBwScax8RMHM4ilDOiX/xv8fZ++0qOpCdvSJvlWW6s=; b=p8SECEjrCmCmPttGFU+OX276n6+hB6IxpVSKKSytbdf6mxpzUL9zj3CcbJlZFhu+jy rOYbrVEvjBxDY6Y5xobXelTvvXcbtLnO5EFYjRvD1Ege84KLfsnICkixsXNsiIJ/LQ7f pH6DrISG2ecQiXHHifkDD8/oM1BovWRzFi+opC/Mzm/coyLlZJi8fsqEsFUo++8FOQmr VeGKteodVm5dRfRmMZUgHDswh1cvGv9k28fVWqO3xzniT+w5bnhlp9/MAHLdw3SeKdDe lg2tD5jbk4kHkO/lUC8W+kvFob+FCS4439uVH5hitOwofkn92rpO9k6YT8825bW8Hr2M YpWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZlBwScax8RMHM4ilDOiX/xv8fZ++0qOpCdvSJvlWW6s=; b=UaKLb+QVcYY1+otCbufV2AQ6lfeWpNKq2BV/aIbEbmWu0DOFsS3PVXy4ZrpjN4clF2 HwTCyidLNwCmqGpyc6rpdyRLuoYKMjCq5N7YVhc2xTfzx2gbwxES2+M4RQ0SBpf2rkrS mt4g4VJ3TeOPO2ikp0Q8IN59wrcS/lIYpQmJISAjK+jR8eE8JsKT/UTxJo8mkA0BP5pk vUVfOkDADI/Lwz1NU6AxHWcRqa850lrZaFFkwuvZ8JKzYsxu/HtL8FuZoXdSWKgxNRIX fKVXWHpBo3j620V/ih8cy74LovDc8bA8eLCnBvE75kHY7WunCohylc/vdPIqDNraLCRE Z4/A== X-Gm-Message-State: AOUpUlETtMewybXLJDVd3Vv9bf80iTr5trvYTgnqQO3n6JCZ0A7RA9Ra yKBtGB/tExhF66jj6U3lkwGd13QzRGeiuYPmiX0= X-Received: by 2002:a54:4618:: with SMTP id p24-v6mr1896057oip.172.1533637305105; Tue, 07 Aug 2018 03:21:45 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:aca:5352:0:0:0:0:0 with HTTP; Tue, 7 Aug 2018 03:21:04 -0700 (PDT) In-Reply-To: References: <20180806223300.113891-1-ebiggers@kernel.org> <20180806223300.113891-4-ebiggers@kernel.org> From: Samuel Neves Date: Tue, 7 Aug 2018 11:21:04 +0100 Message-ID: Subject: Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds To: Paul Crowley Cc: "Jason A. Donenfeld" , ebiggers@kernel.org, Linux Crypto Mailing List , linux-fscrypt@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Herbert Xu , Greg Kaiser , Michael Halcrow , tomer.ashur@esat.kuleuven.be, Eric Biggers , "D. J. Bernstein" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > The best attack on ChaCha breaks 7 rounds, and that attack requires 2^248 operations. This number, as far as I can tell, comes from the "New features of Latin dances" paper. There have been some minor improvements in the intervening 10 years, e.g., [1, 2, 3, 4], which pull back the complexity of breaking ChaCha7 down to 2^235. In any case, every attack so far appears to hit a wall at 8 rounds, with 12 rounds---the recommended eSTREAM round number for Salsa20---seeming to offer a reasonable security margin, still somewhat better than that of the AES. Best regards, Samuel Neves [1] https://eprint.iacr.org/2015/698 [2] https://eprint.iacr.org/2015/217 [3] https://eprint.iacr.org/2016/1034 [4] https://doi.org/10.1016/j.dam.2017.04.034