Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp785917ybl; Fri, 9 Aug 2019 13:56:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqwvcMBQnPtygW/rYl+rt7USgLUid84zgzLZKI6P2BYCiZJzcszpp+XGSL9odsIqQNaVxvJw X-Received: by 2002:a17:90a:8d0c:: with SMTP id c12mr10884870pjo.140.1565384198943; Fri, 09 Aug 2019 13:56:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565384198; cv=none; d=google.com; s=arc-20160816; b=yE+KOD7r4viT38dxhMyn/iLyF4fnk2jgmjoBmexsJzzIL1HmYaCTCLD5d4YlD7kF8U MGzOE2BiJtrnMkq+s4YxW+Kzf4K8LjxCjkmTMo98Eaf8Vl3NVxgZir+m3/CiNQHua9CK eIEXeOfsBYmHqSoZCzcXTgeTgNJBBgxmKAsX209nYJ3gq67yTKnH7/9b/g28NIcFHMG3 5SbDlCRxcHGKaxE2WqLb9Geh6MgHelwXqgrPMFLK6HoQOX64Pm0WIkc7jnOmHFx3ykuv sGtGfosIDbxcxpst1imtKwLGdr9ypvp8TT7sy7qxjHJzgAZP7oixkzuV3ZYLrrj74XSZ Sj3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=O0iS+zVk3WETYgahG5RZi758bjjZpSpcAX5vkxe2yxU=; b=ja0HbKqHRFbm/dbixdv+EewoLDYDwEpnx2Iok90l+VL1cAtHOK1Wx2iht7tbt29L31 BNuFKzhKgCJN1velTqRFjPiXWbyyAbDbTQV5Hf635cS2auD8JFnPrY1RXY2NwfDfbPyw 65onqzccLmHVAdRkt8biTUEHagSiCBceadvz6mPHRfP/7PmZHIk6/sXehaVTc0aUIKhm 6T59B+oyZKZ9X4VdJkSfUlRNmp0+ZsaE2OTA8jY195YhPYNSvmE8/xKX4VcZm4W4tq6m VijefMXKqTS5n7VNqt7kFyZ9sqApPhjyW/lFInT9UxU/WlXntFdCklOXubolW2X+Xy1l YBpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ODBhUdcL; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n20si52487253plp.395.2019.08.09.13.56.19; Fri, 09 Aug 2019 13:56:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ODBhUdcL; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726185AbfHIU4R (ORCPT + 99 others); Fri, 9 Aug 2019 16:56:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:45778 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725985AbfHIU4R (ORCPT ); Fri, 9 Aug 2019 16:56:17 -0400 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CFEE52086D; Fri, 9 Aug 2019 20:56:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565384176; bh=9YD79O77gYo18NL4hO/76PzgKBkUFUlGBSyw9gvR5dc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ODBhUdcLjWmDSoBmZyWYE1tniWyOzL+Nh9qMK40a7zob7mhKOi10DKbvINdSOHVrS 4cDWRBqQW1F+HPctdnkJnFkbTqbsChWxmLYbNb3MzUnDCNJAU+lNygzkweAGSVSJS0 6NPly6n0dW9PNYxbHbVaBGT4Ar6vO45coMuv5xhM= Date: Fri, 9 Aug 2019 13:56:15 -0700 From: Eric Biggers To: Pascal Van Leeuwen Cc: "linux-crypto@vger.kernel.org" Subject: Re: [RFC PATCH v2] md/dm-crypt - reuse eboiv skcipher for IV generation Message-ID: <20190809205614.GB100971@gmail.com> Mail-Followup-To: Pascal Van Leeuwen , "linux-crypto@vger.kernel.org" References: <20190808083059.GB5319@sol.localdomain> <67b4f0ee-b169-8af4-d7af-1c53a66ba587@gmail.com> <20190808171508.GA201004@gmail.com> <20190809171720.GC658@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, Aug 09, 2019 at 08:29:59PM +0000, Pascal Van Leeuwen wrote: > > > > There's no proof that other attacks don't exist. > > > As you can't prove something doesn't exist ... Of course you can, that's what the security proofs for crypto constructions always do. They prove that no efficient attack exists (in some attack model) unless the underlying crypto primitives are weak. > > > If you're going to advocate > > for using it regardless, then you need to choose a different (weaker) attack > > model, then formally prove that the construction is secure under that model. > > Or show where someone else has done so. > > > I'm certainly NOT advocating the use of this. I was merely pointing out a > legacy use case that happens to be very relevant to people stuck with it, > which therefore should not be dismissed so easily. > And how this legacy use case may have further security implications (like > the tweak encryption being more sensitive than was being assumed, so you > don't want to run that through an insecure implementation). Obviously there are people already using bad crypto, whether this or something else, and they often need to continue to be supported. I'm not disputing that. What I'm disputing is your willingness to argue that it's not really that bad, without a corresponding formal proof which crypto constructions always have. - Eric