From: Eric Biggers <ebiggers@kernel.org>
To: Samuel Neves <samuel.c.p.neves@gmail.com>
Cc: Paul Crowley <paulcrowley@google.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
linux-fscrypt@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Greg Kaiser <gkaiser@google.com>,
Michael Halcrow <mhalcrow@google.com>,
tomer.ashur@esat.kuleuven.be, Eric Biggers <ebiggers@google.com>,
"D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds
Date: Tue, 7 Aug 2018 17:15:24 -0700 [thread overview]
Message-ID: <20180808001524.GD25300@gmail.com> (raw)
In-Reply-To: <20180807215121.GB25300@gmail.com>
On Tue, Aug 07, 2018 at 02:51:21PM -0700, Eric Biggers wrote:
> On Tue, Aug 07, 2018 at 11:21:04AM +0100, Samuel Neves wrote:
> > > The best attack on ChaCha breaks 7 rounds, and that attack requires 2^248 operations.
> >
> > This number, as far as I can tell, comes from the "New features of
> > Latin dances" paper. There have been some minor improvements in the
> > intervening 10 years, e.g., [1, 2, 3, 4], which pull back the
> > complexity of breaking ChaCha7 down to 2^235. In any case, every
> > attack so far appears to hit a wall at 8 rounds, with 12 rounds---the
> > recommended eSTREAM round number for Salsa20---seeming to offer a
> > reasonable security margin, still somewhat better than that of the
> > AES.
> >
> > Best regards,
> > Samuel Neves
> >
> > [1] https://eprint.iacr.org/2015/698
> > [2] https://eprint.iacr.org/2015/217
> > [3] https://eprint.iacr.org/2016/1034
> > [4] https://doi.org/10.1016/j.dam.2017.04.034
>
> Thanks Samuel, I'll fix that number in the next iteration of the patchset.
>
Oops, sorry, for some reason I thought you had quoted one of my commit messages,
but it was actually Paul's email. I did mention in "crypto: chacha - add
XChaCha12 support" that "the best known attack on ChaCha makes it through only 7
rounds", but I didn't specify the complexity.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiggers@kernel.org (Eric Biggers)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds
Date: Tue, 7 Aug 2018 17:15:24 -0700 [thread overview]
Message-ID: <20180808001524.GD25300@gmail.com> (raw)
In-Reply-To: <20180807215121.GB25300@gmail.com>
On Tue, Aug 07, 2018 at 02:51:21PM -0700, Eric Biggers wrote:
> On Tue, Aug 07, 2018 at 11:21:04AM +0100, Samuel Neves wrote:
> > > The best attack on ChaCha breaks 7 rounds, and that attack requires 2^248 operations.
> >
> > This number, as far as I can tell, comes from the "New features of
> > Latin dances" paper. There have been some minor improvements in the
> > intervening 10 years, e.g., [1, 2, 3, 4], which pull back the
> > complexity of breaking ChaCha7 down to 2^235. In any case, every
> > attack so far appears to hit a wall at 8 rounds, with 12 rounds---the
> > recommended eSTREAM round number for Salsa20---seeming to offer a
> > reasonable security margin, still somewhat better than that of the
> > AES.
> >
> > Best regards,
> > Samuel Neves
> >
> > [1] https://eprint.iacr.org/2015/698
> > [2] https://eprint.iacr.org/2015/217
> > [3] https://eprint.iacr.org/2016/1034
> > [4] https://doi.org/10.1016/j.dam.2017.04.034
>
> Thanks Samuel, I'll fix that number in the next iteration of the patchset.
>
Oops, sorry, for some reason I thought you had quoted one of my commit messages,
but it was actually Paul's email. I did mention in "crypto: chacha - add
XChaCha12 support" that "the best known attack on ChaCha makes it through only 7
rounds", but I didn't specify the complexity.
- Eric
next prev parent reply other threads:[~2018-08-08 0:15 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-06 22:32 [RFC PATCH 0/9] crypto: HPolyC support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 1/9] crypto: chacha20-generic - add HChaCha20 library function Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 2/9] crypto: chacha20-generic - add XChaCha20 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 23:16 ` Jason A. Donenfeld
2018-08-06 23:16 ` Jason A. Donenfeld
2018-08-06 23:47 ` Paul Crowley
2018-08-06 23:48 ` Paul Crowley
2018-08-06 23:48 ` Paul Crowley
2018-08-07 0:15 ` Jason A. Donenfeld
2018-08-07 0:15 ` Jason A. Donenfeld
2018-08-07 1:06 ` Paul Crowley
2018-08-07 1:06 ` Paul Crowley
2018-08-07 10:21 ` Samuel Neves
2018-08-07 10:21 ` Samuel Neves
2018-08-07 21:51 ` Eric Biggers
2018-08-07 21:51 ` Eric Biggers
2018-08-08 0:15 ` Eric Biggers [this message]
2018-08-08 0:15 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 4/9] crypto: chacha - add XChaCha12 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 5/9] crypto: arm/chacha20 - add XChaCha20 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 6/9] crypto: arm/chacha20 - refactor to allow varying number of rounds Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 7/9] crypto: arm/chacha - add XChaCha12 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 8/9] crypto: arm/poly1305 - add NEON accelerated Poly1305 implementation Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-07 12:09 ` Ard Biesheuvel
2018-08-07 12:09 ` Ard Biesheuvel
2018-08-07 12:09 ` Ard Biesheuvel
2018-08-07 23:19 ` Eric Biggers
2018-08-07 23:19 ` Eric Biggers
2018-08-07 23:19 ` Eric Biggers
2018-08-22 10:00 ` Ard Biesheuvel
2018-08-22 10:00 ` Ard Biesheuvel
2018-08-22 10:00 ` Ard Biesheuvel
2018-08-06 22:33 ` [RFC PATCH 9/9] crypto: hpolyc - add support for the HPolyC encryption mode Eric Biggers
2018-08-06 22:33 ` Eric Biggers
2018-08-06 23:04 ` [PATCH] crypto: remove speck Jason A. Donenfeld
2018-08-06 23:04 ` Jason A. Donenfeld
2018-08-07 1:03 ` Jeffrey Walton
2018-08-07 1:03 ` Jeffrey Walton
2018-08-07 20:18 ` Eric Biggers
2018-08-07 20:18 ` Eric Biggers
2018-08-07 1:19 ` Eric Biggers
2018-08-07 1:19 ` Eric Biggers
2018-08-07 2:38 ` Jason A. Donenfeld
2018-08-07 2:38 ` Jason A. Donenfeld
2018-08-07 3:12 ` Eric Biggers
2018-08-07 3:12 ` Eric Biggers
2018-08-07 3:12 ` Eric Biggers
2018-08-07 3:15 ` Theodore Y. Ts'o
2018-08-07 3:15 ` Theodore Y. Ts'o
2018-08-07 3:15 ` Theodore Y. Ts'o
2018-08-07 12:51 ` Ard Biesheuvel
2018-08-07 12:51 ` Ard Biesheuvel
2018-08-07 12:51 ` Ard Biesheuvel
2018-08-07 6:22 ` [PATCH v2] crypto: remove Speck Jason A. Donenfeld
2018-08-07 6:22 ` Jason A. Donenfeld
2018-08-07 6:57 ` Ard Biesheuvel
2018-08-07 6:57 ` Ard Biesheuvel
2018-08-07 6:57 ` Ard Biesheuvel
2018-09-04 4:55 ` Herbert Xu
2018-09-04 4:55 ` Herbert Xu
2018-09-04 4:55 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180808001524.GD25300@gmail.com \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=djb@cr.yp.to \
--cc=ebiggers@google.com \
--cc=gkaiser@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=paulcrowley@google.com \
--cc=samuel.c.p.neves@gmail.com \
--cc=tomer.ashur@esat.kuleuven.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.