From: Hannes Frederic Sowa Subject: Re: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF Date: Fri, 16 Dec 2016 22:15:23 +0100 Message-ID: <1481922923.2204853.821591377.2CD623CB@webmail.messagingengine.com> References: Reply-To: kernel-hardening@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: "Jason A. Donenfeld" , kernel-hardening@lists.openwall.com, "Theodore Ts'o" , George Spelvin , Andi Kleen , David Miller , David Laight , "Daniel J . Bernstein" , Eric Biggers , "Jean-Philippe Aumasson" , Linux Crypto Mailing List , LKML , Andy Lutomirski , Netdev , Tom Herbert , Linus Torvalds , Vegard Nossum Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: List-Id: linux-crypto.vger.kernel.org On Fri, Dec 16, 2016, at 22:01, Jason A. Donenfeld wrote: > Yes, on x86-64. But on i386 chacha20 incurs nearly the same kind of > slowdown as siphash, so I expect the comparison to be more or less > equal. There's another thing I really didn't like about your chacha20 > approach which is that it uses the /dev/urandom pool, which means > various things need to kick in in the background to refill this. > Additionally, having to refill the buffered chacha output every 32 or > so longs isn't nice. These things together make for inconsistent and > hard to understand general operating system performance, because > get_random_long is called at every process startup for ASLR. So, in > the end, I believe there's another reason for going with the siphash > approach: deterministic performance. *Hust*, so from where do you generate your key for siphash if called early from ASLR? Bye, Hannes