From: Jean-Philippe Aumasson Subject: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF Date: Mon, 19 Dec 2016 17:19:16 +0000 Message-ID: References: <20161215203003.31989-1-Jason@zx2c4.com> <20161215203003.31989-2-Jason@zx2c4.com> Reply-To: kernel-hardening@lists.openwall.com Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=f403045ec27e3cffea0544061f82 Cc: Netdev , kernel-hardening@lists.openwall.com, LKML , Linux Crypto Mailing List , David Laight , Ted Tso , Hannes Frederic Sowa , Linus Torvalds , Eric Biggers , Tom Herbert , George Spelvin , Vegard Nossum , Andi Kleen , David Miller , Andy Lutomirski , "Daniel J . Bernstein" To: "Jason A. Donenfeld" , noloader@gmail.com Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: List-Id: linux-crypto.vger.kernel.org --f403045ec27e3cffea0544061f82 Content-Type: text/plain; charset=UTF-8 Yeah you can use the PRF properties to build a DRBG, but that may not be optimal in terms of performance. On Mon, 19 Dec 2016 at 18:08, Jason A. Donenfeld wrote: > On Sat, Dec 17, 2016 at 3:55 PM, Jeffrey Walton > wrote: > > It may be prudent to include the endian reversal in the test to ensure > > big endian machines produce expected results. Some closely related > > testing on an old Apple PowerMac G5 revealed that result needed to be > > reversed before returning it to a caller. > > The function [1] returns a u64. Originally I had it returning a > __le64, but that was considered unnecessary by many prior reviewers on > the list. It returns an integer. If you want uniform bytes out of it, > then use the endian conversion function, the same as you would do with > any other type of integer. > > Additionally, this function is *not* meant for af_alg or any of the > crypto/* code. It's very unlikely to find a use there. > > > > Forgive my ignorance... I did not find reading on using the primitive > > in a PRNG. Does anyone know what Aumasson or Bernstein have to say? > > Aumasson's site does not seem to discuss the use case: > > He's on this thread so I suppose he can speak up for himself. But in > my conversations with him, the primary take-away was, "seems okay to > me!". But please -- JP - correct me if I've misinterpreted. > --f403045ec27e3cffea0544061f82 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Yeah you can use the PRF properties to build a DRBG, but that may not be op= timal in terms of performance.
On Mon, 19 Dec 2016 at 18:08, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
On Sat, Dec 17, 2016 at 3:55 PM, Jeffrey Walton <noload= er@gmail.com> wrote:
> It may be prudent to include the endian reversal in the test to ensure=
> big endian machines produce expected results. Some closely related
> testing on an old Apple PowerMac G5 revealed that result needed to be<= br class=3D"gmail_msg"> > reversed before returning it to a caller.

The function [1] returns a u64. Originally I had it returning a
__le64, but that was considered unnecessary by many prior reviewers on
the list. It returns an integer. If you want uniform bytes out of it,
then use the endian conversion function, the same as you would do with
any other type of integer.

Additionally, this function is *not* meant for af_alg or any of the
crypto/* code. It's very unlikely to find a use there.


> Forgive my ignorance... I did not find reading on using the primitive<= br class=3D"gmail_msg"> > in a PRNG. Does anyone know what Aumasson or Bernstein have to say? > Aumasson's site does not seem to discuss the use case:

He's on this thread so I suppose he can speak up for himself. But in my conversations with him, the primary take-away was, "seems okay to me!". But please -- JP - correct me if I've misinterpreted.
--f403045ec27e3cffea0544061f82--