Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp823842ybl; Fri, 9 Aug 2019 14:34:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqyHstDYzaH2JeEK/iSPKVqvtdVqlPoXSSzvCVKhJihQACi7PBe1RhHd9ovGOSjF/968eBht X-Received: by 2002:a63:5225:: with SMTP id g37mr19059357pgb.236.1565386459876; Fri, 09 Aug 2019 14:34:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1565386459; cv=pass; d=google.com; s=arc-20160816; b=b3C5of1TtAJ/TYslvUhMOBtJP8aLzNR4kfPDxoaWLA6l0QvPpyKZBYFBga6DH5AU00 th4Xw0K0EKjpqpXHAh1oKuV6/xzgNs51CNXr4nJWGfoqAMlrwpE6wIAXv12W2IhKLTUJ U+XkCImlBWRPSmSYJGJOOFyc6Dsnuya3kI4uT1TB9db+KuGEOU6P9RULxRR1KOfbtQi2 JuYYmRVtIL9YIfj97Z5o0JYdf6mxAzZA5LfuCRI0gVleOPsgx9671lo9+4/kOhrEv99c Vhp5NhuZnpRWovIkeMqlGoeVrCB+Y83HJYWoFDwO3Kkn3cdym6FVrP4jPBoUIhLAODfF J/Ow== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=Kml/gosS12HqNnqP4V+ulH9f5o5DZYpqog23z0UNHi8=; b=O6LpDcqB3D9i+NhH/6ofdZmQabUW/qw6wh60aPUR+qI5FK3cGyM2eFnw0ENfN6Mf9+ 7uZXvkNaSo5GrvYGiurnLWHiwG9RaQzRHXV8+ltfCPq+AjDaC0BKoloW6cJKEOexZFfz k1jkzyOko5NLXliris9/HVWpDa6+HRlmrCiXV5P1OnmxrmtufLBDAm2K+o8dvLtIBBps neqvM/ENanuhj44ObSfBI8sgdMwdO85ERbgN2QkwAdM6VzA4DrKXV4jy6POUsIqwKF1G 6HTfWrbRILlO1/AealaSJLN4sIqZK8cXvexB6G/qMAV4FZhTCraFRyMBWnRRg7LjePTI XlOQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@verimatrix.com header.s=selector2 header.b=u3OY3bOO; arc=pass (i=1 spf=pass spfdomain=verimatrix.com dkim=pass dkdomain=verimatrix.com dmarc=pass fromdomain=verimatrix.com); spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=verimatrix.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n20si52548839plp.395.2019.08.09.14.33.58; Fri, 09 Aug 2019 14:34:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@verimatrix.com header.s=selector2 header.b=u3OY3bOO; arc=pass (i=1 spf=pass spfdomain=verimatrix.com dkim=pass dkdomain=verimatrix.com dmarc=pass fromdomain=verimatrix.com); spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=verimatrix.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726078AbfHIVd5 (ORCPT + 99 others); Fri, 9 Aug 2019 17:33:57 -0400 Received: from mail-eopbgr690059.outbound.protection.outlook.com ([40.107.69.59]:59203 "EHLO NAM04-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726022AbfHIVd4 (ORCPT ); Fri, 9 Aug 2019 17:33:56 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TRIojsVw8oHubRbB8mtfYcDsGp/Vdc3/j/XrmIDvvluIs4QX/Ynwfg1zAAouzogYH3TAsW9pmQp41gZWe9nEOxdTmYlKQLwLKEaHmXJzEJ5DbscSa5oFV3UNfZp3cPS+JiOewlIX83D1bmnB8vtFiNhGyr1ayMtA/BCrPWWssgv1l6PtTQPKMseoYJyUqzwbi9UiO90IyFLZCMeDgNq6qFt1ixn263DeosCVm1DbdUT78/wm16EYTjCBQEq2y83C1BxkyThFL+2mk3m4LCzOplHiDJK7IhvDDMI6vdQO1mgoeteIOeRSgVw/IVESzHDKH5gCpfF2UKgBHlo49cyDGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kml/gosS12HqNnqP4V+ulH9f5o5DZYpqog23z0UNHi8=; b=WvwIcMGSC+hjnv347iWyx9V4Vfpwn6RDXXhyzU0uNuFGVcjnxoZD+UD/Y7VyjIz53ohW7Tj7nbhP5rvMioNDTMNNq/ycn/IT5uCcm+NG3pvUH14o33HZ4kRZaphr6SQTIA6XPxLPAwlXPjMiOf/sGgPBLXBJ+f+NdnzHAv+SK9LH1dwtg3vQs0Q7zOIBoxRmEZo2zTF0aHPiBy+dLoHXQrajq5TW7xKkLyS48mSjCI1l+OC6d3d4EWTRUCWjHaVB/y9SaJNUyXTwS0c8tCwqNRYR/CaDhjRDPw5jyHHoXHdZAfpi55+LDosqBuh3julbKKZ3xpX8R0FpPd8ubMCMdA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verimatrix.com; dmarc=pass action=none header.from=verimatrix.com; dkim=pass header.d=verimatrix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verimatrix.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kml/gosS12HqNnqP4V+ulH9f5o5DZYpqog23z0UNHi8=; b=u3OY3bOOrJ6zS25Sh1gIp212TWFZjD5LX7bYDzgpWch/4nrwyir9r5n16ewHCVBhE74ltCtmDwOIGu31XoFLwalZsyYUBevKXJ7fo6no4acAwWZF+9Yxo7PSHtpnF9sg6Rhonl9ptAXp6X2SxU5nr6zjkisCbQyeIIXgDMB2RTw= Received: from MN2PR20MB2973.namprd20.prod.outlook.com (52.132.172.146) by MN2PR20MB2303.namprd20.prod.outlook.com (20.179.148.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.16; Fri, 9 Aug 2019 21:33:14 +0000 Received: from MN2PR20MB2973.namprd20.prod.outlook.com ([fe80::d96f:39b2:19f4:c7c1]) by MN2PR20MB2973.namprd20.prod.outlook.com ([fe80::d96f:39b2:19f4:c7c1%7]) with mapi id 15.20.2157.020; Fri, 9 Aug 2019 21:33:14 +0000 From: Pascal Van Leeuwen To: Eric Biggers CC: "linux-crypto@vger.kernel.org" Subject: RE: [RFC PATCH v2] md/dm-crypt - reuse eboiv skcipher for IV generation Thread-Topic: [RFC PATCH v2] md/dm-crypt - reuse eboiv skcipher for IV generation Thread-Index: AQHVTOQKWnTPkdATo0i/D1XZtRSIkqbvRQ3wgABmBgCAAAHhUIAAJeoAgAAASmCAARpFgIAAAIWQgABIkICAAAcZkIAAQkcAgAEBE3CAAJHdAIAAM6SQgAAJhoCAAAKAEA== Date: Fri, 9 Aug 2019 21:33:14 +0000 Message-ID: References: <20190808083059.GB5319@sol.localdomain> <67b4f0ee-b169-8af4-d7af-1c53a66ba587@gmail.com> <20190808171508.GA201004@gmail.com> <20190809171720.GC658@sol.localdomain> <20190809205614.GB100971@gmail.com> In-Reply-To: <20190809205614.GB100971@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=pvanleeuwen@verimatrix.com; x-originating-ip: [188.204.2.113] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7ed6626b-4f73-44c1-2655-08d71d112f7a x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020);SRVR:MN2PR20MB2303; x-ms-traffictypediagnostic: MN2PR20MB2303: x-ms-exchange-purlcount: 1 x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-forefront-prvs: 01244308DF x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(4636009)(376002)(136003)(39840400004)(366004)(396003)(346002)(189003)(13464003)(199004)(33656002)(102836004)(256004)(26005)(66066001)(316002)(3846002)(6116002)(186003)(71190400001)(229853002)(99286004)(2906002)(7696005)(14444005)(76176011)(71200400001)(9686003)(76116006)(8676002)(6916009)(66476007)(81156014)(64756008)(5660300002)(476003)(14454004)(486006)(66446008)(6246003)(66946007)(55016002)(66556008)(53936002)(52536014)(25786009)(81166006)(74316002)(86362001)(15974865002)(6436002)(7736002)(478600001)(53546011)(305945005)(6506007)(11346002)(446003)(4326008)(8936002)(18886075002);DIR:OUT;SFP:1101;SCL:1;SRVR:MN2PR20MB2303;H:MN2PR20MB2973.namprd20.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: verimatrix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: B5ul+80AiB4enXWWzFKGqeh5OTNph3EmtM1lsq8U5Towgb36HwkOISVv3x5hP8j6nf5WF4AFzsVtAMHGyLwp52L4r4kyG0TYNYOntELU6OPXKAUXbITG8YcKYbQIDNpe/qBRW3hkwM7H7XYzXIZl2BE71v2T55rB3dWPKsq2WIbabI6hx0LV/Kx0br1heYr9s3QPI96q5bxhqYGPC+QIL3PHS+G9vQpRtoSLjxf1dAnlEqTeOSqHbNjTGlF4ZjTWU4oG7pCulFR0ND4Mdb3G6p0j3QBZo52BzGKPE+6by7Qzrhnr64UYdLQlpbuSd+MP5qzMEtV1BQ3Kgg5aWMZ257Kq/rd4oF7y5LA4blz4WKRTbiE9/8JdXVo7JAA/lNwZZvuYXcYs0kNtv97/fZPOT479/SK5EyaRxMYeGP/o0Lg= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verimatrix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7ed6626b-4f73-44c1-2655-08d71d112f7a X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2019 21:33:14.2349 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: dcb260f9-022d-4495-8602-eae51035a0d0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: rjwFuWAwC0kRK+BafFd5wT5mWlxKLbg0RV9D2RB7z3pqGTR93UrH4Mif0xUiC/+HodMeKBWHDfOjbOG4Q39UjGOU3bsynzyklWi4QuP0v0w= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR20MB2303 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org > -----Original Message----- > From: Eric Biggers > Sent: Friday, August 9, 2019 10:56 PM > To: Pascal Van Leeuwen > Cc: linux-crypto@vger.kernel.org > Subject: Re: [RFC PATCH v2] md/dm-crypt - reuse eboiv skcipher for IV gen= eration >=20 > On Fri, Aug 09, 2019 at 08:29:59PM +0000, Pascal Van Leeuwen wrote: > > > > > > There's no proof that other attacks don't exist. > > > > > As you can't prove something doesn't exist ... >=20 > Of course you can, that's what the security proofs for crypto constructio= ns > always do. They prove that no efficient attack exists (in some attack mo= del) > unless the underlying crypto primitives are weak. >=20 > > > > > If you're going to advocate > > > for using it regardless, then you need to choose a different (weaker)= attack > > > model, then formally prove that the construction is secure under that= model. > > > Or show where someone else has done so. > > > > > I'm certainly NOT advocating the use of this. I was merely pointing out= a > > legacy use case that happens to be very relevant to people stuck with i= t, > > which therefore should not be dismissed so easily. > > And how this legacy use case may have further security implications (li= ke > > the tweak encryption being more sensitive than was being assumed, so yo= u > > don't want to run that through an insecure implementation). >=20 > Obviously there are people already using bad crypto, whether this or some= thing > else, and they often need to continue to be supported. I'm not disputing= that. >=20 > What I'm disputing is your willingness to argue that it's not really that= bad, > without a corresponding formal proof which crypto constructions always ha= ve. >=20 Real life designs require all kinds of trade-offs and compromises. If you want to make something twice as expensive, you'd better have a=20 really solid reason for doing so. So yes, I do believe it is useful to be sceptical and question these things. But I always listen to good=20 arguments, so just convince me I got it wrong *for my particular use case* (I'm not generally interested in the generic case). I mean, we were talking XTS here. Which is basically better-than- nothing crypto anyway. It's one big compromise to be doing something really fast without needing to expand the data. Good crypto would not work on narrow blocks and/or include authentication as well ... > - Eric Regards, Pascal van Leeuwen Silicon IP Architect, Multi-Protocol Engines @ Verimatrix www.insidesecure.com