Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1114517iob; Wed, 18 May 2022 22:45:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwyg7mHDU9D2KknIDcl47zRsYCICrdXHcq1hN5R65Nw0mnZhSHLb/VPZFjQGyh2y6jyNvB4 X-Received: by 2002:a17:907:6088:b0:6f4:bc5b:ab3c with SMTP id ht8-20020a170907608800b006f4bc5bab3cmr2653199ejc.236.1652939159407; Wed, 18 May 2022 22:45:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652939159; cv=none; d=google.com; s=arc-20160816; b=OquX5ACvYV8ahNSaTo/J63moJfWtBSCsZIvWfLHVRrLG5oSKIfaEQNdj0ab4IlG6c4 grWiesqkMJODPi+MzIAlZtYRqh7MkHNmbIdqXXeV73YQnUQpK2I4XWjSmVHqz6mzZk8Q 2QuJUlj0U3t7FHU7fAmAxD93Htrdl5PI2cm6CJwvcpKGqMwUxWxOPcxN2HcGpLAlZq69 nOFKkVn6V2zxdUKR00YXYOD0dAnQ3ocRhP5J+B1dkh1CbpPgyxSPwHhSPkhVhY4NdxSe F0Io9TyBPBg/51GBa43vVDHR2s7tGeJu40M4yLRhc58/kGtJeYsc8Fou267pySIz7XyS dSrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:mime-version :dkim-signature; bh=zd+xBMGWQyFVUBHoyvcV9OHW2rTl/3bxnxYaYG1AMXU=; b=K5LLWxh/HVtRPCh0tBPqJv1z6QbXYQs+oLc+20XPCR5DS6+oB4lboKHCxCgpTGjbf8 gSIcly4AKd7wDRFH1jDOIc9B6Ya4y6EAYB/qfnkeJRNkoFyIk8muVEHyon9nKyKFI01w jFm9jdYbGRo/GOZGQCBXTv3NzzxXZoso/rmvzYTMXVLTFR73uWTTV1h5fndiN5j74Mpl sx+yhYcpKr6r2A3v2oOzSeI7BrEo/CxJDiiL6IDJrPi7f/m/BeA24vkApsFwBBZkAtu2 s5Ev6ws44gY6onMKIqkNbUcz1tp0VZeKuN3nX9Byp0GS13HPDoLw3fDAejhCNnlcvHks 5N5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="gcW/5VOD"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jg8-20020a170907970800b006f457f90cd9si4552345ejc.300.2022.05.18.22.45.22; Wed, 18 May 2022 22:45:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="gcW/5VOD"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230014AbiESFSw (ORCPT + 99 others); Thu, 19 May 2022 01:18:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35634 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229833AbiESFSv (ORCPT ); Thu, 19 May 2022 01:18:51 -0400 Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73FA0AFB27 for ; Wed, 18 May 2022 22:18:50 -0700 (PDT) Received: by mail-ed1-x529.google.com with SMTP id j4so1159958edq.6 for ; Wed, 18 May 2022 22:18:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=zd+xBMGWQyFVUBHoyvcV9OHW2rTl/3bxnxYaYG1AMXU=; b=gcW/5VODU2e5UxLTuRB0sOf3ztZD/dSEWHWVy+JIdaiqpAwlyG3C3kHgKZa5ALISyl vqTcfJcdSOWrq8EpOHY1miw5AJKIy8IQSp/WyWKpWz42lz4FlkgzMdjnX2BofIxfL255 TrQl2qAufqef0Iw8/0u2b7u6BIWUC1Ix3Br9D57VAZIQDo5XzSCRItaOAnPO9++UWaq7 sBiKgTquwfR2lwo/OskYoKi06yxG9E5iporkNx8b9arX4UhkGR+OzCrUoPy+t70MFG+l XK3RAeEua55C5FUPWhRTMh5t913CS/XjnYBRTBtk8VpSRCqthsnRAkUFNr9g5R7wq2T1 vppQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=zd+xBMGWQyFVUBHoyvcV9OHW2rTl/3bxnxYaYG1AMXU=; b=HvyJYwIVKex/pFTi9n2Dh+PRZM2LBRUNJDita0WydUc0BStGmz83bkW3BNHPlTROgQ NEVQ0XeWmH5UfJ1GE+bPlXR7gzfwWO2MLuaoIxz03fSM+h8lh9pY+zCLQixiwo5krqlD MCNIXosbTbbHRop8V+nzm7VQnyuTCl1VeRyB03yS7ZPJMXti7iG/BlJGrYwpuMIj6Tq5 G5Pp6n5y4Tub+dx8AAUYMs+t+6KFR2iQhfev2wUXBJeHl2Am2j6P/LOjssiX7M5C97mC upf0ZcHFz2z7pnG0KRFaRgYEAv677oC2nsyP+CJiMcofHueJCH/4LcCyIx1obxS6362U DPqg== X-Gm-Message-State: AOAM532cHNHfmh3KoS96ujBHjadZ5y1+ltUv2I1k8KFOfHZ5j8pd75fK VVCtMEc4hHG6Wt7e8muj/Y1fuG55CjqtETG4ZmBHoRn5/nk= X-Received: by 2002:a50:ee18:0:b0:42a:b57c:2532 with SMTP id g24-20020a50ee18000000b0042ab57c2532mr3349344eds.169.1652937528576; Wed, 18 May 2022 22:18:48 -0700 (PDT) MIME-Version: 1.0 From: Sandy Harris Date: Thu, 19 May 2022 13:18:36 +0800 Message-ID: Subject: [RFC] random: use blake2b instead of blake2s? To: Linux Crypto Mailing List , "Jason A. Donenfeld" , "Ted Ts'o" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The original random.c used a 4k-bit input pool, I think mainly because sometimes (e.g. for a large RSA key) we might need up to 4k of high-grade output. The current driver uses only a 512-bit hash context, basically a Yarrow-like design. This is quite plausible since we trust both the hash and the chacha output mechanism, but it seems to me there are open questions. One is that the Yarrow designers no longer support it; they have moved on to a more complex design called Fortuna, so one might wonder if the driver should use some Fortuna-like design. I'd say no; we do not need extra complexity in the kernel & it is not clear there'd be a large advantage. Similarly, there's a Blake 3 that might replace Blake 2 in the driver; the designers say it is considerably faster. I regard that as an open question, but will not address it here. What I do want to address is that the Yarrow paper says the cryptographic strength of the output is at most the size of the hash context, 160 bits for them & 512 for our current driver. Or, since we use only 256 bits to rekey, our strength might be only 256. These numbers are likely adequate, but if we can increase them easily, why not? Blake comes in two variants, blake2s and blake2b; presumably b and s are for big & small. The kernel crypto library has both & the driver currently uses 2s. 2s has 512-bit context (16 32-bit words) and can give up to 256-bit output. 2b has 1024 (16 64-bit words) and can do 512 out. To me, it looks like switching to 2b would be an obvious improvement, though not at all urgent. Benchmarks I've seen seem to say it is faster on 64-bit CPUs and slower on 32-bit ones, but neither difference is huge.