From: "Jason A. Donenfeld" Subject: Re: [PATCH v2 0/5] crypto: Speck support Date: Tue, 24 Apr 2018 22:58:35 +0200 Message-ID: References: <20180212235209.117393-1-ebiggers@google.com> <20180424181623.GA174675@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Jeffrey Walton , Greg Kaiser , Herbert Xu , Ard Biesheuvel , Michael Halcrow , tashur@esat.kuleuven.be, Patrik Torstensson , Alex Cope , Paul Lawrence , linux-fscrypt@vger.kernel.org, Linux Crypto Mailing List , Greg Kroah-Hartman , linux-arm-kernel@lists.infradead.org, Paul Crowley To: Eric Biggers Return-path: In-Reply-To: <20180424181623.GA174675@google.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=m.gmane.org@lists.infradead.org List-Id: linux-crypto.vger.kernel.org Hi Eric, On Tue, Apr 24, 2018 at 8:16 PM, Eric Biggers wrote: > So, what do you propose replacing it with? Something more cryptographically justifiable. > outside crypto review, vs. the many cryptanalysis papers on Speck. (In that > respect the controversy about Speck has actually become an advantage, as it has > received much more cryptanalysis than other lightweight block ciphers.) That's the thing that worries me, actually. Many of the design decisions behind Speck haven't been justified. > The reason we chose Speck had nothing to do with the proposed ISO standard or > any sociopolitical factors, but rather because it was the only algorithm we > could find that met the performance and security requirements. > Note that Linux > doesn't bow down to any particular standards organization, and it offers > algorithms that were specified in various places, even some with no more than a > publication by the author. In fact, support for SM4 was just added too, which > is a Chinese government standard. Are you going to send a patch to remove that > too, or is it just NSA designed algorithms that are not okay? No need to be belittling; I have much less tinfoil strapped around my head than perhaps you think. I'm not blindly opposed to government-designed algorithms. Take SHA2, for example -- built by the NSA. But I do care quite a bit about using ciphers that have acceptance of the academic community and a large body of literature documenting its design decisions and analyzing it. Some of the best symmetric cryptographers in academia have expressed reservations about it, and it was just rejected from a major standard's body. Linux, of course, is free to disagree -- or "bow down" as you oddly put it -- but I'd make sure you've got a pretty large bucket of justifications for that disagreement. > (in fact, you'd > probably have a different opinion of it if the authors had simply worked > somewhere else and published the exact same algorithm); Again, no need to patronize. I don't actually have a bias like that. > But I hope you can understand that all *technical* indicators are that Speck is > secure enough That's the thing I'm worried about. Jason