2021-05-07 06:43:53

by Daniel Kestrel

[permalink] [raw]
Subject: or should block size for xts.c set to 1 instead of AES block size?

Hi,

one more thought, shouldn't the block size for generic xts set to 1 in
order to reflect that any input size length is allowed to the
algorithm?

Thanks.


2021-05-11 15:49:23

by Ard Biesheuvel

[permalink] [raw]
Subject: Re: or should block size for xts.c set to 1 instead of AES block size?

On Fri, 7 May 2021 at 08:12, Kestrel seventyfour
<[email protected]> wrote:
>
> Hi,
>
> one more thought, shouldn't the block size for generic xts set to 1 in
> order to reflect that any input size length is allowed to the
> algorithm?
>

I think this was discussed at some point on the list, and Herbert
seemed to suggest that 1 was a better choice than AES_BLOCK_SIZE.
You'd have to set the chunksize, though, to ensure that the input is
presented in the right granularity, i.e., to ensure that the skcipher
walk layer never presents less than chunksize bytes unless it is the
end of the input.

However, this is a flag day change, so you'd need to update all
implementations at the same time. Otherwise, the extended tests (which
compare accelerated implementations with xts(ecb(aes-generic))) will
start failing on the cra_blocksize mismatch.

2021-05-11 18:02:48

by Mike Brooks

[permalink] [raw]
Subject: Re: or should block size for xts.c set to 1 instead of AES block size?

xst(ecb()) can only produce a minimum of AES_BLOCK_SIZE of data -
sending in a smaller dataset will still return AES_BLOCK_SIZE of data.
If you try and pass in lets say 4 bytes - and then you truncate the
response to 4 bytes you'll lose data.

Moving to a smaller size is asking for trouble. IMHO.

-Michael Brooks

On Tue, May 11, 2021 at 8:48 AM Ard Biesheuvel <[email protected]> wrote:
>
> On Fri, 7 May 2021 at 08:12, Kestrel seventyfour
> <[email protected]> wrote:
> >
> > Hi,
> >
> > one more thought, shouldn't the block size for generic xts set to 1 in
> > order to reflect that any input size length is allowed to the
> > algorithm?
> >
>
> I think this was discussed at some point on the list, and Herbert
> seemed to suggest that 1 was a better choice than AES_BLOCK_SIZE.
> You'd have to set the chunksize, though, to ensure that the input is
> presented in the right granularity, i.e., to ensure that the skcipher
> walk layer never presents less than chunksize bytes unless it is the
> end of the input.
>
> However, this is a flag day change, so you'd need to update all
> implementations at the same time. Otherwise, the extended tests (which
> compare accelerated implementations with xts(ecb(aes-generic))) will
> start failing on the cra_blocksize mismatch.

2021-05-11 19:32:34

by Eric Biggers

[permalink] [raw]
Subject: Re: or should block size for xts.c set to 1 instead of AES block size?

On Tue, May 11, 2021 at 11:01:11AM -0700, Mike Brooks wrote:
> xst(ecb()) can only produce a minimum of AES_BLOCK_SIZE of data -
> sending in a smaller dataset will still return AES_BLOCK_SIZE of data.
> If you try and pass in lets say 4 bytes - and then you truncate the
> response to 4 bytes you'll lose data.
>
> Moving to a smaller size is asking for trouble. IMHO.
>
> -Michael Brooks
>
> On Tue, May 11, 2021 at 8:48 AM Ard Biesheuvel <[email protected]> wrote:
> >
> > On Fri, 7 May 2021 at 08:12, Kestrel seventyfour
> > <[email protected]> wrote:
> > >
> > > Hi,
> > >
> > > one more thought, shouldn't the block size for generic xts set to 1 in
> > > order to reflect that any input size length is allowed to the
> > > algorithm?
> > >
> >
> > I think this was discussed at some point on the list, and Herbert
> > seemed to suggest that 1 was a better choice than AES_BLOCK_SIZE.
> > You'd have to set the chunksize, though, to ensure that the input is
> > presented in the right granularity, i.e., to ensure that the skcipher
> > walk layer never presents less than chunksize bytes unless it is the
> > end of the input.
> >
> > However, this is a flag day change, so you'd need to update all
> > implementations at the same time. Otherwise, the extended tests (which
> > compare accelerated implementations with xts(ecb(aes-generic))) will
> > start failing on the cra_blocksize mismatch.

Well, the problem is that it isn't well defined what the cra_blocksize property
actually means. Depending on the algorithm, it can mean either the minimum
input size, the required alignment of the input size, the exact input size that
is required (in the case of block ciphers), or the input size that is required
by the algorithm's internal compression function (in the case of hashes).

"xts" follows the convention of cra_blocksize meaning the "minimum input size",
as do "cts" and "adiantum" which have the same constraints on input sizes as
"xts".

So I'm not sure that changing cra_blocksize for xts to 1 would accomplish
anything useful, other than confuse things further.

- Eric

2021-05-14 10:10:27

by Herbert Xu

[permalink] [raw]
Subject: Re: or should block size for xts.c set to 1 instead of AES block size?

On Tue, May 11, 2021 at 12:31:17PM -0700, Eric Biggers wrote:
>
> Well, the problem is that it isn't well defined what the cra_blocksize property
> actually means. Depending on the algorithm, it can mean either the minimum
> input size, the required alignment of the input size, the exact input size that
> is required (in the case of block ciphers), or the input size that is required
> by the algorithm's internal compression function (in the case of hashes).
>
> "xts" follows the convention of cra_blocksize meaning the "minimum input size",
> as do "cts" and "adiantum" which have the same constraints on input sizes as
> "xts".
>
> So I'm not sure that changing cra_blocksize for xts to 1 would accomplish
> anything useful, other than confuse things further.

At this point we can't change the blocksize of cts/xts to 1 without
breaking af_alg because it needs to treat them differently than it
would for a stream cipher like ctr.

But to properly support af_alg on cts/xts we do need to do this.
I have a patch-set that adds the final chunk size to do exactly
that but I haven't had the time to finish it.

Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt