Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp234563imm; Fri, 19 Oct 2018 22:23:20 -0700 (PDT) X-Google-Smtp-Source: ACcGV61HRW7XyBOeJIsBN+06vdIVUGtYx7JpljbbkAC8p5ycF6oNkXr/YDjuDkNrZ6lWb3sO1+P7 X-Received: by 2002:a63:f848:: with SMTP id v8-v6mr34633999pgj.82.1540013000837; Fri, 19 Oct 2018 22:23:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540013000; cv=none; d=google.com; s=arc-20160816; b=PdKIqdLophPgMu4Eq0MLkAE4ayakORXEtBoKpyCAAtTOz3h7Hd/zjNWzgjYYDtBZ5/ 2dQQYeGT1NdoTwp3PpZ9ywPSYeXnEUNfYF+ouGeB3fxtyOBKlRF9Lu4NYBRdNM5YR4Yi mDoy0cdt/XBGlJG9ZjGgtuHynw+Da4qCrCdAhtKkG1rgQXZ9BGvdecn/Ykfu9ao6auax xGWDC8hC87wi5sspdMQrte0xMB9xHLzUC5nImdPk1q9Dsw6TD1KvYsa/m/Wu9HxVGiIr t8nNQEZ14H5Wi59PxhqfmElYo6/iz2d3wtquXESx2fvhob7n2K7CO5Lk0HGnbeuCS6Ab IMlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=6ZHFOVxCMIqeHhPMFP6GCcuZLkcg5NoFFZ59p/riEzs=; b=SmKXPlC5miZT9PLNRNryXmx42O+aEvjJbPU7jpwNVuaC6tbkG1gM98vFZp38G5Klg3 PFSo51lI+9AoaHG+tOHnKtGkWPadA/GwasV5/4TylVHrY6H3MGZ8kSD7wFBP0U4W/9sD SBUj80MnGQcHpzkkmdFYhBrVCmWH3MmmYm2oSNzEe7H5HnPM+A/kl0dv+Cn9oeSw/MQl JOFeE7r78VMyQ4DRGFRN/Z6s+5lWSSo4ejg5xOp+idIE1qCFTUZSxTZ77qfmU91eWVVQ V6egFPATb+cmPBvlabyAm4Z/bkrBPtmLxRNjYAndb+MLsxPZCenRKuhiIHFDj+e4N5uY zJjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=s9fWthk1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s20-v6si25496226pgj.546.2018.10.19.22.22.51; Fri, 19 Oct 2018 22:23:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=s9fWthk1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726733AbeJTNb3 (ORCPT + 99 others); Sat, 20 Oct 2018 09:31:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:33890 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726261AbeJTNb3 (ORCPT ); Sat, 20 Oct 2018 09:31:29 -0400 Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net [67.185.97.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8C3CC21470; Sat, 20 Oct 2018 05:22:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1540012937; bh=WixgDl4BGmZqzJbcrG9/N6ODb7AoJJt002idaFzIYr0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=s9fWthk1FNNuBNkc76ttHOfFqABpp2j7znJ2qYhjEag7dvM3kqItY3bk4eYOfMyuz tnQOpx4UAH3uuXBJJ8vKoa8CJ6/M4CD0w1uYwNp3dB/kGGWhrHeCnUOgXK7gt7CRMz hhYI4wh3SCoa5MOHchY5lb8MeCiYIWafNcJ8MR8g= Date: Fri, 19 Oct 2018 22:22:16 -0700 From: Eric Biggers To: Ard Biesheuvel Cc: Paul Crowley , "Jason A. Donenfeld" , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , linux-fscrypt@vger.kernel.org, linux-arm-kernel , Linux Kernel Mailing List , Herbert Xu , Greg Kaiser , Michael Halcrow , Samuel Neves , Tomer Ashur Subject: Re: [RFC PATCH v2 00/12] crypto: Adiantum support Message-ID: <20181020052215.GA876@sol.localdomain> References: <20181015175424.97147-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Ard, On Sat, Oct 20, 2018 at 11:24:05AM +0800, Ard Biesheuvel wrote: > On 20 October 2018 at 02:19, Paul Crowley wrote: > > On Fri, 19 Oct 2018 at 08:58, Jason A. Donenfeld wrote: > >> Before merging this into the kernel, do you want to wait until you've > >> received some public review from academia? > > > > I would prefer not to wait. Unlike a new primitive whose strength can > > only be known through attempts at cryptanalysis, Adiantum is a > > construction based on > > well-understood and trusted primitives; it is secure if the proof > > accompanying it is correct. Given that (outside competitions or > > standardization efforts) no-one ever issues public statements that > > they think algorithms or proofs are good, what I'm expecting from > > academia is silence :) The most we could hope for would be getting the > > paper accepted at a conference, and we're pursuing that but there's a > > good chance that won't happen simply because it's not very novel. It > > basically takes existing ideas and applies them using a stream cipher > > instead of a block cipher, and a faster hashing mode; it's also a > > small update from HPolyC. I've had some private feedback that the > > proof seems correct, and that's all I'm expecting to get. > > Hi Paul, Eric, > > The Adiantum paper claims > > "On an ARM Cortex-A7 processor, Adiantum decrypts 4096-byte messages > at 11 cycles per byte, five times faster than AES-256-XTS, with a > constant-time implementation." > > which is surprising to me. The bit slicing NEON AES core runs at ~14 > cycle per byte on a Cortex-A15 (when encrypting), so 55 cycles per > byte on A7 sounds rather high. Is it really that bad? Yes, it's really that slow, maybe because the NEON unit on Cortex-A7 isn't very good. Our figures are shown in the performance table in section 4. Note that the abstract is talking about AES-256-XTS. AES-128-XTS is ~27% faster. You can also reproduce our performance results using our userspace benchmark program from https://github.com/google/adiantum/tree/master/benchmark. It uses a copy of aes-neonbs-core.S from the kernel source tree. > > Also, the paper mentions that the second hash pass and the stream > cipher en/decryption pass could be executed in parallel, while your > implementation performs three distinct passes. Do you have any > estimates on the potential performance gain of implementing that? In > my experience (which is mostly A53 rather than A7 based, mind you), > removing memory accesses can help tremendously to speed up the > execution on low end cores. As a quick hack, on Cortex-A7 I timed "NH" without loading the message words. It became about 10% faster. My NEON-accelerated NH is already only about 1.3 cpb, so that means in theory not having to reload the message words would save ~0.13 cpb... But Adiantum as a whole is ~11 cpb, so that suggests the improvement would be only a bit over 1%. Maybe it could actually be better (for example, not having to map the pages again could save a lot), but in practice considering the increased complexity as well as that probably there wouldn't actually be enough registers to do everything efficiently, it seemed it would cause far too much trouble to bother yet (at least for the Linux kernel implementation; a two-pass implementation could still be useful elsewhere, of course). - Eric