From: "Jason A. Donenfeld" Subject: Re: [PATCH v7 3/6] random: use SipHash in place of MD5 Date: Thu, 22 Dec 2016 00:13:34 +0100 Message-ID: References: <20161216030328.11602-1-Jason@zx2c4.com> <20161221230216.25341-1-Jason@zx2c4.com> <20161221230216.25341-4-Jason@zx2c4.com> Reply-To: kernel-hardening@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: "Jason A. Donenfeld" To: Netdev , kernel-hardening@lists.openwall.com, LKML , Linux Crypto Mailing List , David Laight , Ted Tso , Hannes Frederic Sowa , Eric Dumazet , Linus Torvalds , Eric Biggers , Tom Herbert , Andi Kleen , David Miller , Andy Lutomirski , Jean-Philippe Aumasson Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: <20161221230216.25341-4-Jason@zx2c4.com> List-Id: linux-crypto.vger.kernel.org Hi Ted, On Thu, Dec 22, 2016 at 12:02 AM, Jason A. Donenfeld wrote: > This duplicates the current algorithm for get_random_int/long I should have mentioned this directly in the commit message, which I forgot to update: this v7 adds the time-based key rotation, which, while not strictly necessary for ensuring the security of the RNG, might help alleviate some concerns, as we talked about. Performance is quite good on both 32-bit and 64-bit -- better than MD5 in both cases. If you like this, terrific. If not, I'm happy to take this in whatever direction you prefer, and implement whatever construction you think best. There's been a lot of noise on this list about it; we can continue to discuss more, or you can just tell me whatever you want to do, and I'll implement it and that'll be the end of it. As you said, we can always get something decent now and improve it later. Alternatively, if you've decided in the end you prefer your batched entropy approach using chacha, I'm happy to implement a polished version of that here in this patch series (so that we can keep the `rm lib/md5.c` commit.) Just let me know how you'd like to proceed. Thanks, Jason