From: Eric Biggers <ebiggers@google.com> To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au> Cc: linux-fscrypt@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Paul Crowley <paulcrowley@google.com>, Patrik Torstensson <totte@google.com>, Paul Lawrence <paullawrence@google.com>, Michael Halcrow <mhalcrow@google.com>, Alex Cope <alexcope@google.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Eric Biggers <ebiggers@google.com> Subject: [PATCH 0/5] crypto: Speck support Date: Wed, 7 Feb 2018 16:09:56 -0800 [thread overview] Message-ID: <20180208001001.19180-1-ebiggers@google.com> (raw) Hello, This series adds Speck support to the crypto API, including the Speck128 and Speck64 variants. Speck is a lightweight block cipher that can be much faster than AES on processors that don't have AES instructions. We are planning to offer Speck-XTS (probably Speck128/256-XTS) as an option for dm-crypt and fscrypt on Android, for low-end mobile devices with older CPUs such as ARMv7 which don't have the Cryptography Extensions. Currently, such devices are unencrypted because AES is not fast enough, even when the NEON bit-sliced implementation of AES is used. Other AES alternatives such as Blowfish, Twofish, Camellia, Cast6, and Serpent aren't fast enough either; it seems that only a modern ARX cipher can provide sufficient performance on these devices. This is a replacement for our original proposal (https://patchwork.kernel.org/patch/10101451/) which was to offer ChaCha20 for these devices. However, the use of a stream cipher for disk/file encryption with no space to store nonces would have been much more insecure than we thought initially, given that it would be used on top of flash storage as well as potentially on top of F2FS, neither of which is guaranteed to overwrite data in-place. Speck has been somewhat controversial due to its origin. Nevertheless, it has a straightforward design (it's an ARX cipher), and it appears to be the leading software-optimized lightweight block cipher currently, with the most cryptanalysis. It's also easy to implement without side channels, unlike AES. Moreover, we only intend Speck to be used when the status quo is no encryption, due to AES not being fast enough. We've also considered a novel length-preserving encryption mode based on ChaCha20 and Poly1305. While theoretically attractive, such a mode would be a brand new crypto construction and would be more complicated and difficult to implement efficiently in comparison to Speck-XTS. Thus, patch 1 adds a generic implementation of Speck, and the following patches add a 32-bit ARM NEON implementation of Speck-XTS. The NEON-accelerated implementation is much faster than the generic implementation and therefore is the implementation that would primarily be used in practice on the devices we are targeting. There is no AArch64 implementation added, since such CPUs are likely to have the Cryptography Extensions, allowing the use of AES. Eric Biggers (5): crypto: add support for the Speck block cipher crypto: speck - export common helpers crypto: arm/speck: add NEON-accelerated implementation of Speck-XTS crypto: speck - add test vectors for Speck128-XTS crypto: speck - add test vectors for Speck64-XTS arch/arm/crypto/Kconfig | 6 + arch/arm/crypto/Makefile | 2 + arch/arm/crypto/speck-neon-core.S | 431 +++++++++++ arch/arm/crypto/speck-neon-glue.c | 290 ++++++++ crypto/Kconfig | 14 + crypto/Makefile | 1 + crypto/speck.c | 302 ++++++++ crypto/testmgr.c | 36 + crypto/testmgr.h | 1478 +++++++++++++++++++++++++++++++++++++ include/crypto/speck.h | 62 ++ 10 files changed, 2622 insertions(+) create mode 100644 arch/arm/crypto/speck-neon-core.S create mode 100644 arch/arm/crypto/speck-neon-glue.c create mode 100644 crypto/speck.c create mode 100644 include/crypto/speck.h -- 2.16.0.rc1.238.g530d649a79-goog
WARNING: multiple messages have this Message-ID (diff)
From: ebiggers@google.com (Eric Biggers) To: linux-arm-kernel@lists.infradead.org Subject: [PATCH 0/5] crypto: Speck support Date: Wed, 7 Feb 2018 16:09:56 -0800 [thread overview] Message-ID: <20180208001001.19180-1-ebiggers@google.com> (raw) Hello, This series adds Speck support to the crypto API, including the Speck128 and Speck64 variants. Speck is a lightweight block cipher that can be much faster than AES on processors that don't have AES instructions. We are planning to offer Speck-XTS (probably Speck128/256-XTS) as an option for dm-crypt and fscrypt on Android, for low-end mobile devices with older CPUs such as ARMv7 which don't have the Cryptography Extensions. Currently, such devices are unencrypted because AES is not fast enough, even when the NEON bit-sliced implementation of AES is used. Other AES alternatives such as Blowfish, Twofish, Camellia, Cast6, and Serpent aren't fast enough either; it seems that only a modern ARX cipher can provide sufficient performance on these devices. This is a replacement for our original proposal (https://patchwork.kernel.org/patch/10101451/) which was to offer ChaCha20 for these devices. However, the use of a stream cipher for disk/file encryption with no space to store nonces would have been much more insecure than we thought initially, given that it would be used on top of flash storage as well as potentially on top of F2FS, neither of which is guaranteed to overwrite data in-place. Speck has been somewhat controversial due to its origin. Nevertheless, it has a straightforward design (it's an ARX cipher), and it appears to be the leading software-optimized lightweight block cipher currently, with the most cryptanalysis. It's also easy to implement without side channels, unlike AES. Moreover, we only intend Speck to be used when the status quo is no encryption, due to AES not being fast enough. We've also considered a novel length-preserving encryption mode based on ChaCha20 and Poly1305. While theoretically attractive, such a mode would be a brand new crypto construction and would be more complicated and difficult to implement efficiently in comparison to Speck-XTS. Thus, patch 1 adds a generic implementation of Speck, and the following patches add a 32-bit ARM NEON implementation of Speck-XTS. The NEON-accelerated implementation is much faster than the generic implementation and therefore is the implementation that would primarily be used in practice on the devices we are targeting. There is no AArch64 implementation added, since such CPUs are likely to have the Cryptography Extensions, allowing the use of AES. Eric Biggers (5): crypto: add support for the Speck block cipher crypto: speck - export common helpers crypto: arm/speck: add NEON-accelerated implementation of Speck-XTS crypto: speck - add test vectors for Speck128-XTS crypto: speck - add test vectors for Speck64-XTS arch/arm/crypto/Kconfig | 6 + arch/arm/crypto/Makefile | 2 + arch/arm/crypto/speck-neon-core.S | 431 +++++++++++ arch/arm/crypto/speck-neon-glue.c | 290 ++++++++ crypto/Kconfig | 14 + crypto/Makefile | 1 + crypto/speck.c | 302 ++++++++ crypto/testmgr.c | 36 + crypto/testmgr.h | 1478 +++++++++++++++++++++++++++++++++++++ include/crypto/speck.h | 62 ++ 10 files changed, 2622 insertions(+) create mode 100644 arch/arm/crypto/speck-neon-core.S create mode 100644 arch/arm/crypto/speck-neon-glue.c create mode 100644 crypto/speck.c create mode 100644 include/crypto/speck.h -- 2.16.0.rc1.238.g530d649a79-goog
next reply other threads:[~2018-02-08 0:10 UTC|newest] Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-02-08 0:09 Eric Biggers [this message] 2018-02-08 0:09 ` [PATCH 0/5] crypto: Speck support Eric Biggers 2018-02-08 0:09 ` [PATCH 1/5] crypto: add support for the Speck block cipher Eric Biggers 2018-02-08 0:09 ` Eric Biggers 2018-02-08 0:09 ` [PATCH 2/5] crypto: speck - export common helpers Eric Biggers 2018-02-08 0:09 ` Eric Biggers 2018-02-08 0:09 ` [PATCH 3/5] crypto: arm/speck: add NEON-accelerated implementation of Speck-XTS Eric Biggers 2018-02-08 0:09 ` Eric Biggers 2018-02-08 0:10 ` [PATCH 4/5] crypto: speck - add test vectors for Speck128-XTS Eric Biggers 2018-02-08 0:10 ` Eric Biggers 2018-02-08 0:10 ` [PATCH 5/5] crypto: speck - add test vectors for Speck64-XTS Eric Biggers 2018-02-08 0:10 ` Eric Biggers 2018-02-08 1:47 ` [PATCH 0/5] crypto: Speck support Jeffrey Walton 2018-02-08 1:47 ` Jeffrey Walton 2018-02-08 21:01 ` Eric Biggers 2018-02-08 21:01 ` Eric Biggers 2018-02-08 21:01 ` Eric Biggers 2018-02-10 0:07 ` Jeffrey Walton 2018-02-10 0:07 ` Jeffrey Walton 2018-02-12 19:19 ` Eric Biggers 2018-02-12 19:19 ` Eric Biggers 2018-02-12 19:57 ` Jeffrey Walton 2018-02-12 19:57 ` Jeffrey Walton 2018-02-12 20:18 ` Eric Biggers 2018-02-12 20:18 ` Eric Biggers
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180208001001.19180-1-ebiggers@google.com \ --to=ebiggers@google.com \ --cc=alexcope@google.com \ --cc=ard.biesheuvel@linaro.org \ --cc=gregkh@linuxfoundation.org \ --cc=herbert@gondor.apana.org.au \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-fscrypt@vger.kernel.org \ --cc=mhalcrow@google.com \ --cc=paulcrowley@google.com \ --cc=paullawrence@google.com \ --cc=totte@google.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.