Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1152678iob; Wed, 18 May 2022 23:54:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwjosIM5eAX8XEoS9rvays3qieBnlXucHLRHJT4rLVM8+ZQCzNv158M4qtORkGsORIqBBMi X-Received: by 2002:a05:6402:3812:b0:42a:a0dc:562c with SMTP id es18-20020a056402381200b0042aa0dc562cmr3680341edb.205.1652943251353; Wed, 18 May 2022 23:54:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652943251; cv=none; d=google.com; s=arc-20160816; b=BByUdZ1hVuFWr9H1R419spE73+r1gxJP7vacc9ggH2opGk7MHjzAkSl4IQIa0XSnBU ClTBGKjPCNOYKHdWElrAPaXh6AzSguD6o9YMWN2DTZ/f9NNaV4icBnDstRB25GYYgEWH ILpHBR0RvC+h0rVBlgmJpTTXiwYh0fPN3OekJAx/Uj660iwYCkhlKHdehPbVNDpinGBH /JcybNGglVlflhVHxdLMUhrl3abK9mW96c2b1itGsSsbun4c3cI5E1hBSQxPTGGGS4q1 OHzpoTfiBKrxwtxbeUIQdZeXaBekw2gfbSFmOlIdCKSEHa1V6Cnvyw68ONWiC0b/Bre8 2+QQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=gYhBmt2DJjuovlj8cEVjJWatfYnYEnvKQvTR5wcx1jM=; b=PwB5/lrw6q8Wb0dnqlBL0Tbx3Rp/kN23TPIu9Wf9ohUxV432L7LgVJCyrN5H5SxOeG J6xgQ226rylXQiHP5e5SmIwbmtxBiHjNrvPVhsLpOmx6VcUBlDY54i8sQI9zc9KKzYwD HiiE8NaewwmvtRkcGPFNp6hFJQoFxj/mlJHYMP8Mz3x2Dm6fYIonfrMMkFd8sxN1lmbs R/3gyJDVyISHWujs4nn3xfp3pmlq215sojcw/2KENf1cHeIf/kq4TNQpm0GitbK8JhXn YZtUSNseE39BKUOZs4ABS40NBbdbahe0JipvtO88tHLkLqe67uLam6rpkN47k6YsrnQv Y++Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YFceBQS8; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ne1-20020a1709077b8100b006fe5c8da2e3si4957344ejc.467.2022.05.18.23.53.35; Wed, 18 May 2022 23:54:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YFceBQS8; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233937AbiESGLT (ORCPT + 99 others); Thu, 19 May 2022 02:11:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234360AbiESGLT (ORCPT ); Thu, 19 May 2022 02:11:19 -0400 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34A1433351 for ; Wed, 18 May 2022 23:11:13 -0700 (PDT) Received: by mail-ed1-x530.google.com with SMTP id c12so5662877eds.10 for ; Wed, 18 May 2022 23:11:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=gYhBmt2DJjuovlj8cEVjJWatfYnYEnvKQvTR5wcx1jM=; b=YFceBQS8mdD5J7xJrp0GhLhnihLf4RzLsf1jFD7Mix84dFO2uMABu/ljD2xqQ4Zi4H EY372DX7GhDHFXFteZXj/A28uVAmCY2NcPWw7CDSV75+bT8YgP9I/bNjv6VoKA55nm6I sCt8/C5g4GPhhiJkRjKkGyVkhopif+1Cbndc40zakzt8IahxRl+1cJHMwxnGnLgYb1Ih xk+2OO9gcp17MDpJN2Zy98Y9GJD1nvSMGr3uVrJx9tzklkmAeA4FPdMHz2Yp3sWMYqiv NY6ED63DQvxIGJarL0SaPFlgfCPH8AqGQQCh/K5ZNGA2yB73j+tTzYRGY14sgGKYf5JW m9kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=gYhBmt2DJjuovlj8cEVjJWatfYnYEnvKQvTR5wcx1jM=; b=QJugtN51BdtMdVlkYhyw7SWu9arO8ZEyWncGTQC892AOpDE0bEP5pgxy5jAD8mnwI2 8OfebNTM7d9o6Eo3x/MTK4QKQQ4Y+uUu1uYVYT/SvjWyWHv5pbAniSJyb++A8Fb28orP JMZ8//iin76Fb9IVb+Wv7CBejYq48xfugRAv7wKXBBOGbkkNfu8WBvfRaAUH654dOQAN xUnytSeYkPV1RNOkwsbVMd7um6xcDrC1ViGLY143oC0PokjF6u9t5dBf6QCO+yrnE/b0 ymcKVtw5c6fkYuxFjw/4lMK67CgrCAdF2JX/D6UsWy2zjf9dT6yHqnI3Fo7Y33KkXJRZ ahJw== X-Gm-Message-State: AOAM530/o/E/FA6aQvPBzAvwckZ6bt9qcAmYZXmlNhMS+Kxsmmwtoyqo ik5GPXYR4VsOGBzbvYJDOV0/0KUH+tID0OR0BbHas47n X-Received: by 2002:a05:6402:17c1:b0:428:8016:d98d with SMTP id s1-20020a05640217c100b004288016d98dmr3602582edy.5.1652940672175; Wed, 18 May 2022 23:11:12 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sandy Harris Date: Thu, 19 May 2022 14:10:59 +0800 Message-ID: Subject: Re: [RFC] random: use blake2b instead of blake2s? To: Linux Crypto Mailing List , "Jason A. Donenfeld" , "Ted Ts'o" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Sandy Harris wrote: > The original random.c used a 4k-bit input pool, ... > Blake comes in two variants, blake2s and blake2b; ... > > To me, it looks like switching to 2b would be an obvious improvement, > though not at all urgent. I'd actually go a bit further and have 2k bits of input pool, two blake2b contexts; probably make inputs alternate between them. It would also be possible to put each input into both pools. For output, have a flip-flop variable and alternate between the pools with some sequence like: : mix some extra entropy into pool : generate 512 bits output : mix that back into the other 2b context : 8-round chacha on output : mix output into chacha context Mixing output from one context into the other ties the two together so in effect we have a 2k-bit input pool. Chacha is designed to be non-invertible so the 8-round instance prevents a rather unlikely attack. Even if an enemy manages to get the chacha state & infer some of the rekeying inputs, they do not get direct access to blake output. They would need to repeatedly break chacha8 to get any data that might let them attack blake.