From: "Jason A. Donenfeld" Subject: Re: [PATCH v6 3/5] random: use SipHash in place of MD5 Date: Fri, 16 Dec 2016 23:23:59 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: Netdev , "kernel-hardening@lists.openwall.com" , LKML , Linux Crypto Mailing List , David Laight , Ted Tso , Hannes Frederic Sowa , Linus Torvalds , Eric Biggers , Tom Herbert , George Spelvin , Vegard Nossum , Andi Kleen , "David S. Miller" , Jean-Philippe Aumasson To: Andy Lutomirski Return-path: Received: from frisell.zx2c4.com ([192.95.5.64]:37581 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758055AbcLPWYE (ORCPT ); Fri, 16 Dec 2016 17:24:04 -0500 In-Reply-To: Sender: linux-crypto-owner@vger.kernel.org List-ID: Hi Andy, > Agreed. A simpler contruction would be: > > chaining++; > output = H(chaining, secret); > > And this looks a whole lot like Ted's ChaCha20 construction. In that simpler construction with counter-based secret rekeying and in Ted's ChaCha20 construction, the issue is that every X hits, there's a call to get_random_bytes, which has variable performance and entropy issues. Doing it my way with it being time based, in the event that somebody runs ` :(){ :|:& };:`, system performance doesn't suffer because ASLR is making repeated calls to get_random_bytes every 128 or so process creations. In the time based way, the system performance will not suffer. Jason