Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp104037imm; Tue, 7 Aug 2018 14:52:34 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwKcsUWk7SqdOIeqO0EgsNNiwz0IHY0LwBxWp8A4fTefPEBoq0oVbxwsh51uVKNERZ5omD6 X-Received: by 2002:a17:902:2e83:: with SMTP id r3-v6mr145124plb.80.1533678754022; Tue, 07 Aug 2018 14:52:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533678753; cv=none; d=google.com; s=arc-20160816; b=T5pkOAF9YyFgvdyQHc0dAZtQa1TjZosC2sHO9YBqdPcZyl4IufMTtBlrQLaxODmBgN Wzldt7+Wfukz63m2FQIB9Nm5mHr9e51JsIXflznVDLjdEX+gHGgxVZzf9vCfu0XnL8ja nJ0tgGxdD+U0ilWW/bygbR0aMmDcA7QsZ5gxG63ZTfGN517za4UtOK+fJE3V9pVVzmf1 kJZ79ekHZZ5MwU4Sneywzu9tv1Xb2PVxuZ+HoZ6aVi1XCeN7GUUWnCXzF4zZHEbJA50p IW7d9zFjrpjjtyW20yFgexvKo033hofQrwBiCeAc5nGY7RvqL/yEMmH72hnW2a56y71P nidQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=6hkkpiqrIe92mSG34ZEBM2lKVd2jLzZHQg395rnqQb8=; b=gsZ2Fw6YvBUm0fy3gApIdDFTvXdfe8TVOAAVJ4PAI+8G9SKJo4JekyIAy5hm2si3xI qXUaAmUhN7UsFqVCTQOvuanwBwRkxnnjCEbNhqq0N/Y9jTiR+1Dp50El+jnOE9wh85iU kcxiuDT1TOHRMCZDrWynB1IVX4ErMYRKu7UqKb7HHVSA93DQbrId4jHb6IevUytLNJx0 8WdmSOmSsfDAGyv2mT1woeND/NIZ1oF5e6qPSvTKqLQOzJEKtbrgTz7wmOEFfTmT8cKN t0kh7vLOqXUFgil1z4PlpvQuHeiZ8UaaIE5/VZG+N8dVo421iLLJg56WXuJeIiuk7AKo uyPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lap3yGla; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o8-v6si2364250pgo.2.2018.08.07.14.52.18; Tue, 07 Aug 2018 14:52:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lap3yGla; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727005AbeHHAHs (ORCPT + 99 others); Tue, 7 Aug 2018 20:07:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:55118 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726027AbeHHAHs (ORCPT ); Tue, 7 Aug 2018 20:07:48 -0400 Received: from gmail.com (unknown [104.132.51.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8B27A21987; Tue, 7 Aug 2018 21:51:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1533678682; bh=BDlUKEAAsqXyggAtiDZrhpS6wBt80P70HqQeWQWipX4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lap3yGlaw2+3Y0JklRQMGPU/A8bYsuF2oIainXYh1cgOZxf8mBkQnS1BmHsmmQlen tCc2mMWR1t8AGa/x9dM/2k1BOEpCGORqMIz+trARcdMGtisdWx3Cj2QEEXKtYewJnm qs9wd8BSSiyeK2WNkltXTxOmyjhUuChIi7RPawis= Date: Tue, 7 Aug 2018 14:51:21 -0700 From: Eric Biggers To: Samuel Neves Cc: Paul Crowley , "Jason A. Donenfeld" , Linux Crypto Mailing List , linux-fscrypt@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Herbert Xu , Greg Kaiser , Michael Halcrow , tomer.ashur@esat.kuleuven.be, Eric Biggers , "D. J. Bernstein" Subject: Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds Message-ID: <20180807215121.GB25300@gmail.com> References: <20180806223300.113891-1-ebiggers@kernel.org> <20180806223300.113891-4-ebiggers@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1+60 (20b17ca5) (2018-08-02) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 07, 2018 at 11:21:04AM +0100, Samuel Neves wrote: > > The best attack on ChaCha breaks 7 rounds, and that attack requires 2^248 operations. > > This number, as far as I can tell, comes from the "New features of > Latin dances" paper. There have been some minor improvements in the > intervening 10 years, e.g., [1, 2, 3, 4], which pull back the > complexity of breaking ChaCha7 down to 2^235. In any case, every > attack so far appears to hit a wall at 8 rounds, with 12 rounds---the > recommended eSTREAM round number for Salsa20---seeming to offer a > reasonable security margin, still somewhat better than that of the > AES. > > Best regards, > Samuel Neves > > [1] https://eprint.iacr.org/2015/698 > [2] https://eprint.iacr.org/2015/217 > [3] https://eprint.iacr.org/2016/1034 > [4] https://doi.org/10.1016/j.dam.2017.04.034 Thanks Samuel, I'll fix that number in the next iteration of the patchset. - Eric