Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp439217lqm; Wed, 1 May 2024 05:39:20 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWgBjOjlDuHhBYtiB2zK+47ZtC1H4WoFRNjP5dn+YptMoUvKdyFHR3ahFiNLZ4TB3l72FUqEtEU0HXxqRakQb0a2hQ5MMclEXnrRSqEeA== X-Google-Smtp-Source: AGHT+IEbgghcJfX/uezPqMEN3U9bV9qml8JSpetuwlqZhUjxVfR4isW1hTnxc/44rZx6IO5agfnF X-Received: by 2002:a05:622a:47ce:b0:43c:7840:52fa with SMTP id dp14-20020a05622a47ce00b0043c784052famr2352045qtb.48.1714567159976; Wed, 01 May 2024 05:39:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714567159; cv=pass; d=google.com; s=arc-20160816; b=zONG0z5NxkhZhD8YX8xcuqjEthHZOMCL8NNB4t71pN3jEh0uXXtnpMZ/mfd7XQgzms l3UQfg9WZ4v8JybZzoYI9d3B5/Gq+Q8XHcDXwnlq3eVO4+7FzK306CgmvPsM4PL0KOPK i9X/zeg6qMOUVI1xEQ4FGxaaFFxqUXZWnP7NoJimaNXc8hPmYHZ2yofCZEqcR9lVFxc8 9q3nr2k/EfYWwUzHnUALKgDaqaQMGTNui2dmU/EwP+Dw/UoMeoQbmOz86vk4wEj03+Xy g5EavQnaDdLIOVtR78x5yI9YTEPsgrgxQ36jBQKF2exjWthiO6TPUIHA5oImgXJV4eOz xnVw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=r9PKc+MR71uJgnzPpxJ70qMFfLvHTXjO7g7sk5/G6yY=; fh=w3yIuo9eDdyGUPb7DPvyEyMlZ0mRFXjfeUsIRK58o/M=; b=Tv/A42Kdv5j+84QrXcwEMkzxAQ5653lUCll1at2TSoabCRNWz4g9G7bQ25NThfGkXK D9r9/hRJbM6FajSvsfbphNI/I+9IyqhsTEswGsCRJViKiiMYwgFLhtqIv2CygQo77p8B 6BhxudFqXlQ68MSdeq/gO8D/5aU1yAdzg/LuJ/+eljj88ctNia4YC88kJClcPSP5WDSV I1DdPwakYdFxYIGu6ly7sCiiWVZgKYdExsMD5DTyN59qlpg87TLB5MVz0vtleUNvaWi/ lEo54LXpVzadR53FGRnv9crA5xMbP5S+PhfftoDWK0LnsgC7QfPKRtBppfCkbRl4JYiw 8YDw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Em9AMGad; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-165257-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-165257-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id f4-20020ac859c4000000b0043adac9ad0dsi7668361qtf.701.2024.05.01.05.39.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 05:39:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-165257-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Em9AMGad; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-165257-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-165257-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A132C1C21631 for ; Wed, 1 May 2024 12:39:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 39C5742A96; Wed, 1 May 2024 12:39:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Em9AMGad" Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 07D081DFF0; Wed, 1 May 2024 12:39:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714567151; cv=none; b=nAtznRuEL569mvYKrY3VeTfK/lyuu18tov+BqbJoOZ2IMROhfS4Nkl1vsUNm8KnE/xYEF7xINY0+fa6oDPSFIh2+lU+QoVqZ1doabGv2r+LmOZqbB+exhbXvhw/glDkaowgAlZRGtrVOo7EwHv/IGQKNpwUgkr1omDzztoUG1w8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714567151; c=relaxed/simple; bh=krYCDOguIwma0VoI3TPYxTTL9mU1DyfOtRfnO+iW3U8=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=edWp+xMMq5Dgz7brTIGsvK0X5n/PiJnduwa/tW0ugsQS5pbuyeTib9oaoKGclbc0OTPAW1ze+of39B499vhKouFSdhDNhHBdXkaA9O5fFzIndCIiy2OhLf70QM87hAPzCibPGhv0No/eHoOomokzq6cnhvrLJYMFxu249xm7EAA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Em9AMGad; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1e651a9f3ffso34054255ad.1; Wed, 01 May 2024 05:39:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714567149; x=1715171949; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=r9PKc+MR71uJgnzPpxJ70qMFfLvHTXjO7g7sk5/G6yY=; b=Em9AMGadx+eVGy/M306/CroHYeKQWRNWFh7Exl1J8fTQq0qbEo4LKFW9IrHcFCyaSE hVGdtA66v5yaxCVYYKi88YcJNxMnwSlolDZlbKMm3uv99KQuBTLYzS0XWCHop5LELSEO k83zThDJVq4PycLHnHiC5srPkhULhTRmLnslTNGbYueZa9tZtYPWDl++d1C5yQ/gx5cA 4eBpGMWVW/MgV97BZN+VBIYcE5zVAOe0MJ6QVNPf8heht6miaVMvjDu/8HEnhKctNomP NUJDzC2BGaHUQ8ze4F2DzmIJ+L4yC3TEuZUo8zeA2F7rYwrfilLA8g+fZNDvish7sgGA JqzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714567149; x=1715171949; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r9PKc+MR71uJgnzPpxJ70qMFfLvHTXjO7g7sk5/G6yY=; b=V/WGQg0qIPenlLShVCKZgLYeCMy00/nmNK2Qf8di1dHtBhjaNJlyd9qwiynrCC6QGa +kRc481HE/QP/SoHIT7FZ/AQq08K8jt/7aleoBqldOBa5BRDymJvy4XZWzJAZkSAiLxw ZEG3aVU/QJ5PRPAN9/rW+xlHcGbia6MBUvV+i62uaXpXzIZ6KaWrfoqWVd1PoLC1RAnP vqo3mLqGBlnQCsNnHwkytVvgW6sDNXX2yNN6HxjfnQuxWjXiDjJomXUm0Ljl9O/CIDe0 VqT/B7tYqFk4+4/WCgGQByoz+pz1eJ05tW/8JqBlOrOR3USlrbgyXtLuPJiSx8xSHnE9 Gktw== X-Forwarded-Encrypted: i=1; AJvYcCUc6MNuEomduJJ3hLzUHuPy4cuv+Jbl4U9UKhXTE6DKCt2uw5J8KDw3pygv3Eb9cHlivRfL9orhQjnRRGfZpDIjoCvMKTh/26hJv8q2vvKk2ABoTxPUpqkO4LmDRSijHTAk59oxk62AXwCY X-Gm-Message-State: AOJu0YwJOx66qT7C0YLmdK0aaRONIUd5p1JUK2KxY7cNWy8mioe8uPIa nDQKbuqo6+CmkQSek72E+zqP1dEmEtz6BEAEhUSJbc9du3WE0PvJ1B5DHr2HTo+Jl3RI948tGOF ZB7cHMpxcRV40JqZ8YOXZhkq+GlA= X-Received: by 2002:a17:902:ee44:b0:1e9:9fdb:567d with SMTP id 4-20020a170902ee4400b001e99fdb567dmr2110616plo.68.1714567149305; Wed, 01 May 2024 05:39:09 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240429134942.2873253-1-aaron.toponce@gmail.com> <20240430031105.GA10165@sol.localdomain> <20240430162632.GA1924352@mit.edu> <20240501022201.GD1743554@mit.edu> In-Reply-To: <20240501022201.GD1743554@mit.edu> From: Jean-Philippe Aumasson Date: Wed, 1 May 2024 14:38:52 +0200 Message-ID: Subject: Re: [PATCH] random: add chacha8_block and swtich the rng to it To: "Theodore Ts'o" Cc: Aaron Toponce , Eric Biggers , "Jason A. Donenfeld" , Herbert Xu , "David S. Miller" , linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable My 2 cents: As a cryptanalyst, having discovered the 2008 attack on ChaCha that's only been slightly improved in 16 years: the 20-round ChaCha20is a clear waste of CPU cycles, but ChaCha8 is admittedly risky, though more in terms of PR than pure crypto merits (plus, afaiu the threat model of ChaCha in the Linux PRNG doesnt allow the kind of chosen-IV "attack" known to work on reduced-round versions). Switching from ChaCha20 to ChaCha12 might still raise eyebrows but I dont think any respectable crypto/security expert will suspect a JiaTan situation. On Wed, May 1, 2024 at 2:28=E2=80=AFPM Theodore Ts'o wrote: > > So first of all, my apologies for giving you offense. I really didn't > think you were a shill for the NSA or the MSS, but I have to admit > that when I get large set of patches which removes "unnecessary" code, > which is _technically_ safe, but which reduces the safety margin, I > find myself wondering whether it's part of a binary payload. (This is > especially when I get patches from someone that I don't normally > receive patches from.) Unfortunately, in the wake of the xz hack, > we're just all going to have to be a lot more careful. > > On Tue, Apr 30, 2024 at 10:44:09AM -0600, Aaron Toponce wrote: > > > > The goal is just to make the CSPRNG more efficient without sacrificing = security. > > Of course most reads will be small for cryptographic keys. ChaCha8 mean= s even > > those small reads will be 2.5x more efficient than ChaCha20. The dd(1) = example > > was just to demonstrate the efficiency, not to be "fun". > > This is a philosophical question; are we going for maximum efficiency, > or maximum safety so long as it meets the performance requirements for > the intended use case? From an academic perspective, or if a > cryptographer is designing cipher for a NIST competition, there's a > strong desire for maximum efficiency, since that's one of the metrics > used in the competition. But for the Linux RNG, my bias is to go for > safety, since we're not competing on who can do the fast bulk > encryption, but "sufficiently fast for keygen". > > People of good will can disagree on what the approach should be. I > tend to have much of a pragmatic engineer's perspective. It's been > said that the Empire State Building is overbuilt by a factor of 10, > but that doesn't bother me. People are now saying that perhaps the > Francis Scott Key bridge, when it is rebuilt, should have more safety > margin, since container ships have gotten so much bigger. (And > apparently, cheap sh*t diesel fuel that is contaminated and the ship > owners buy fuel from the lowest bidder.) > > Or we can talk about how Boeing has been trying to cheap-out on plane > manufacturing to save $$$; but I think you get the point of where I'm > coming from. I'm not a big fan of trimming safety margins and making > things more efficient for it's own sake. (At least in the case of > Boeing, the CEO at least got paid $22/million a year, so at least > there's that. :-) > > Now, if this is actually impacting the TLS connection termination for > a Facebook or Bing or Google's front end web server, then great, we > can try to optimize it. But if it's not a bottleneck, what's the > point? Making change for change's sake, especially when it's reducing > safety margins, is just one of those things that I find really hard to > get excited about. > > Cheers, > > - Ted