From: "Jason A. Donenfeld" Subject: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF Date: Fri, 16 Dec 2016 21:39:54 +0100 Message-ID: References: <20161216034618.28276.qmail@ns.sciencehorizons.net> Reply-To: kernel-hardening@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: George Spelvin , Andi Kleen , David Miller , David Laight , Eric Biggers , Hannes Frederic Sowa , kernel-hardening@lists.openwall.com, Linux Crypto Mailing List , LKML , Andy Lutomirski , Netdev , Tom Herbert , Linus Torvalds , "Theodore Ts'o" , Vegard Nossum , "Daniel J . Bernstein" To: Jean-Philippe Aumasson Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: List-Id: linux-crypto.vger.kernel.org Hi JP, On Fri, Dec 16, 2016 at 2:22 PM, Jean-Philippe Aumasson wrote: > It needs some basic security review, which I'll try do next week (check for > security margin, optimality of rotation counts, etc.). But after a lot of > experience with this kind of construction (BLAKE, SipHash, NORX), I'm > confident it will be safe as it is. I've implemented it in my siphash kernel branch: https://git.zx2c4.com/linux-dev/log/?h=siphash It's the commit that has "HalfSipHash" in the log message. As the structure is nearly identical to SipHash, there wasn't a lot to change, and so the same implementation strategy exists for each. When you've finished your security review and feel good about it, some test vectors using the same formula (key={0x03020100, 07060504}, input={0x0, 0x1, 0x2, 0x3...}, output=test_vectors) would be nice for verification. Jason