Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6821079ybh; Thu, 8 Aug 2019 06:14:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqxEALKwyE+Gikj5h31aPbRQv1PtfdepV93TNrF9/K21lgd0HS9i+yYTBs57zQChSiFlhp9b X-Received: by 2002:a63:b11:: with SMTP id 17mr12337608pgl.283.1565270045790; Thu, 08 Aug 2019 06:14:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565270045; cv=none; d=google.com; s=arc-20160816; b=HstRDlZB/o6XzUpoCW21+V20ncAYr1uHbS7LY1Dwd5m8ehAQuedInebzU6gOkdo9ws dsQk/N+xtTLuDwbTJzh8FXaM0edvANbb/pIrWrf07pBHAt05d6DSJlxWphE+9U+h3a4r js+w5pHgwWhRYo2Xtp80zRSXY5SeBMRlKtWiyKGooxpP+ZZ1/LUfQE0/S1W+2+f7Im0j qf6+g1uZs1FDbp9yBttFmM48FbT1IEHsqSQcLZQaarGdI79E3eEP5GkjewGgX7TNLc80 NIhMKDt36EnvvRLX+PwvNkehc62V6vSXYwjNbKRg6FAAwn5frVxGF4tmmjB4vUbpmqy1 GN/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject:dkim-signature; bh=H9YOmFmn+dobIgV9UHgPg756iVEpHTNA5mVXaVj8BrA=; b=vZrUG8qKaeD+xLK1fLrVegzN09uxK61AUXZ9ahKf/PayuMHL5Du7vhMP2OpYrT+H7a CbF7dGv1aJ8YUVdtFlBHWz/eTevryKiR1BFCJz7MesuImsu0iP5z68oFU+XXjmZc5Foc ROky+Wu2ZydgJUPuFt+NKriG83zKV/MDITXTcWoek0IHa3KPqEIuKr+WDo9hWQi/2QHI Bz+rHf13CS+arW6zcsf1ifU+TN2q2TpAH36Ip63gzRasqkADcX/bgDfrAGVBggQuwzeT A7dy16EJ5ML480fahdk1mgZ5AZJWuQTtaWaMtm27K1Jci+Yo8OX32PlaFpFC+kUPho/q Ru/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Lw9P/Ahs"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v16si53869412pfe.39.2019.08.08.06.13.44; Thu, 08 Aug 2019 06:14:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Lw9P/Ahs"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732912AbfHHNLP (ORCPT + 99 others); Thu, 8 Aug 2019 09:11:15 -0400 Received: from mail-wm1-f53.google.com ([209.85.128.53]:39146 "EHLO mail-wm1-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732645AbfHHNLO (ORCPT ); Thu, 8 Aug 2019 09:11:14 -0400 Received: by mail-wm1-f53.google.com with SMTP id u25so2368419wmc.4 for ; Thu, 08 Aug 2019 06:11:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=H9YOmFmn+dobIgV9UHgPg756iVEpHTNA5mVXaVj8BrA=; b=Lw9P/Ahs3xvyfSma97fMbcUcEqmVMndFpmFuzJ5zYLss3gBnE4wWeDP+hgFR26tYcx Gt5QIbaQf+4/mzdLVgxmyGPwOcMwVCuns8eoQeaNxeRQOyUfWLrvGZclIIdcN5hn0qPV uEzc9nCHKxCX1+t8VmAHnLsM5xSznrpTNMJo8l8Ub7983vA4OdXNFfOJ2CSLyQsBYMfH rouRr34PYompL8naiXqtfdn8/ONdVSyT8FrGR9nucc8YzRlxk5C/j5Rp//Rx8C2vR5pT lII46+EV66hL3nVTT+gq8t4OuyUd5Ilts6snyT6XBD1MlCsnyNt2WZDCrzmMqK0RsRjx zZ3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=H9YOmFmn+dobIgV9UHgPg756iVEpHTNA5mVXaVj8BrA=; b=d6IS+q43k6puOVH87+0iENfEtEdbcZbPxwKIUlbO/flxCYEAK5RshuuOj0qVbOHZlA 2e4a04Z5FXttp8xtXUXNSyez2db+dvwYsZBJvoQ60YBfluN/vBKlXFeDPvcDyNVkhZDC IA2I36RXlZG7QBsDR0r4PSYyVZiz/wzCLAhpLJyVp2CsJKsRccchC2mavhSh9GOrk6UO T7JAxNStVLWqKpsCSk5Ln+Ym1mJgDmYYISvQY2Ua2WSSpiazVZl+HTjzlh+iVTHJi3Fo dE4idqnEyLQXAqT4iHSaimb+plrM8mreooZJQAFYgk90luQQqQtuCu+akcTyFcXC1E+u V3ig== X-Gm-Message-State: APjAAAWgrH2oM+VH4np0Ou/ArOOPNN7Z1VRJSpzi8LJk3v/Qt5TpHjNW i7rR3AuAraZ/7Gf9FEgU9Uxmt7n+Mcg= X-Received: by 2002:a05:600c:2218:: with SMTP id z24mr4402430wml.84.1565269872766; Thu, 08 Aug 2019 06:11:12 -0700 (PDT) Received: from [10.43.17.10] (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id 4sm220376865wro.78.2019.08.08.06.11.11 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Thu, 08 Aug 2019 06:11:12 -0700 (PDT) Subject: Re: [PATCHv2] crypto: xts - Add support for Cipher Text Stealing To: Ard Biesheuvel , Pascal Van Leeuwen Cc: Pascal van Leeuwen , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Herbert Xu , "David S. Miller" References: <1565245094-8584-1-git-send-email-pvanleeuwen@verimatrix.com> From: Milan Broz Openpgp: preference=signencrypt Message-ID: <1353558c-ea2f-b94b-a570-4ca8f3a653ee@gmail.com> Date: Thu, 8 Aug 2019 15:11:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 08/08/2019 12:37, Ard Biesheuvel wrote: >>> True. Which is another historical mistake imo, since XTS is only >>> specified for AES, but I digress ... :-) >>> >> Yes, I was also surprised by the use of XTS with other blockciphers. >> It sort of violates the don't roll your own crypto paradigm ... >> (although some might argue that XTS is supposed to be secure if the >> underlying blockcipher is, regardless of what that cipher actually is) >> > > That doesn't really matter. What matters is that nobody took a careful > look whether XTS combined with other ciphers is a good idea before > throwing it out into the world. Couldn't resist, but tell that to TrueCrypt authors (if you know them :) They used XTS for other AES candidates (Serpent, Twofish, also in chained modes together). Older versions used LRW mode, doing the same. Even implementing LRW over Blowfish that has 8-byte block size, so you need GF(2^64) operations - that is luckily not implemented in Linux kernel crypto API :-) VeraCrypt continued the tradition, adding the Camellia and Kuznyetchik (actually discussed GOST standard) to the XTS mix. But without sarcasm, I do want to support this for users, we can map (but not create) such images in cryptsetup, and it is partially reason I want dm-crypt to be fully configurable... Milan