From: Paul Crowley <paulcrowley@google.com>
To: Jason@zx2c4.com
Cc: ebiggers@kernel.org, linux-crypto@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Greg Kaiser <gkaiser@google.com>,
Michael Halcrow <mhalcrow@google.com>,
samuel.c.p.neves@gmail.com, tomer.ashur@esat.kuleuven.be,
Eric Biggers <ebiggers@google.com>,
djb@cr.yp.to
Subject: Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds
Date: Mon, 6 Aug 2018 16:47:30 -0700 [thread overview]
Message-ID: <CA+_SqcDghOP_pBvmer_4AGHoQcWHYHF1=NAmYBDSf=K08z5RWA@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9rbe6eT6dkUqKnp-GxcqGrp-tvMfTMr8kZtsn=S3cmP8A@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]
Salsa20 was one of the earlier ARX proposals, and set a very conservative
number of rounds as befits our state of knowledge at the time. Since then
we've learned a lot more about cryptanalysis of such offerings, and I think
we can be comfortable with fewer rounds. The best attack on ChaCha breaks 7
rounds, and that attack requires 2^248 operations. Every round of ChaCha
makes attacks vastly harder.
Performance is absolutely crucial when it comes to disk encryption; users
and vendors will push back hard against encryption that degrades the user
experience. So we're always going to choose the fastest option that gives
us a solid margin of security, and here that's ChaCha12.
I'd like to turn the question around. Why 20? DJB's 20 round proposal
predates his 12 round proposal, but I don't think that's a reason to choose
it when all cryptanalysis has considered reduced-round variants. The 20
round variant is more widely used, but again I think that's informative
more about the historical order of things than the security. If 20 is
better than 12, is 24 better than 20? What is it that draws you to 20
rounds specifically?
On Mon, 6 Aug 2018 at 16:16, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hey Eric,
>
> On Tue, Aug 7, 2018 at 12:35 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > In preparation for adding XChaCha12 support, rename/refactor
> > chacha20-generic to support different numbers of rounds.
>
> I'm interested in learning the motivation behind going with ChaCha12.
> So far, the vast majority of users of ChaCha have been getting along
> quite fine with ChaCha20 and enjoying the very large security margin
> this provides. In some ways, introducing ChaCha12 into the ecosystem
> feels like a bit of a step backwards, even if it probably still
> provides adequate security (though ChaCha8 probably shouldn't be used
> or included at all). I realize the simple answer is just, "because
> it's faster." But I'm wondering specifically about the speed
> requirements and on what hardware and in what circumstances you found
> ChaCha20 was too slow, and if this is the kind of circumstance you
> expect to persist into the future.
>
> Jason
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fscrypt" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
[-- Attachment #2: Type: text/html, Size: 3298 bytes --]
next prev parent reply other threads:[~2018-08-06 23:47 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-06 22:32 [RFC PATCH 0/9] crypto: HPolyC support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 1/9] crypto: chacha20-generic - add HChaCha20 library function Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 2/9] crypto: chacha20-generic - add XChaCha20 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 23:16 ` Jason A. Donenfeld
2018-08-06 23:16 ` Jason A. Donenfeld
2018-08-06 23:47 ` Paul Crowley [this message]
2018-08-06 23:48 ` Paul Crowley
2018-08-06 23:48 ` Paul Crowley
2018-08-07 0:15 ` Jason A. Donenfeld
2018-08-07 0:15 ` Jason A. Donenfeld
2018-08-07 1:06 ` Paul Crowley
2018-08-07 1:06 ` Paul Crowley
2018-08-07 10:21 ` Samuel Neves
2018-08-07 10:21 ` Samuel Neves
2018-08-07 21:51 ` Eric Biggers
2018-08-07 21:51 ` Eric Biggers
2018-08-08 0:15 ` Eric Biggers
2018-08-08 0:15 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 4/9] crypto: chacha - add XChaCha12 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 5/9] crypto: arm/chacha20 - add XChaCha20 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 6/9] crypto: arm/chacha20 - refactor to allow varying number of rounds Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 7/9] crypto: arm/chacha - add XChaCha12 support Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-06 22:32 ` [RFC PATCH 8/9] crypto: arm/poly1305 - add NEON accelerated Poly1305 implementation Eric Biggers
2018-08-06 22:32 ` Eric Biggers
2018-08-07 12:09 ` Ard Biesheuvel
2018-08-07 12:09 ` Ard Biesheuvel
2018-08-07 12:09 ` Ard Biesheuvel
2018-08-07 23:19 ` Eric Biggers
2018-08-07 23:19 ` Eric Biggers
2018-08-07 23:19 ` Eric Biggers
2018-08-22 10:00 ` Ard Biesheuvel
2018-08-22 10:00 ` Ard Biesheuvel
2018-08-22 10:00 ` Ard Biesheuvel
2018-08-06 22:33 ` [RFC PATCH 9/9] crypto: hpolyc - add support for the HPolyC encryption mode Eric Biggers
2018-08-06 22:33 ` Eric Biggers
2018-08-06 23:04 ` [PATCH] crypto: remove speck Jason A. Donenfeld
2018-08-06 23:04 ` Jason A. Donenfeld
2018-08-07 1:03 ` Jeffrey Walton
2018-08-07 1:03 ` Jeffrey Walton
2018-08-07 20:18 ` Eric Biggers
2018-08-07 20:18 ` Eric Biggers
2018-08-07 1:19 ` Eric Biggers
2018-08-07 1:19 ` Eric Biggers
2018-08-07 2:38 ` Jason A. Donenfeld
2018-08-07 2:38 ` Jason A. Donenfeld
2018-08-07 3:12 ` Eric Biggers
2018-08-07 3:12 ` Eric Biggers
2018-08-07 3:12 ` Eric Biggers
2018-08-07 3:15 ` Theodore Y. Ts'o
2018-08-07 3:15 ` Theodore Y. Ts'o
2018-08-07 3:15 ` Theodore Y. Ts'o
2018-08-07 12:51 ` Ard Biesheuvel
2018-08-07 12:51 ` Ard Biesheuvel
2018-08-07 12:51 ` Ard Biesheuvel
2018-08-07 6:22 ` [PATCH v2] crypto: remove Speck Jason A. Donenfeld
2018-08-07 6:22 ` Jason A. Donenfeld
2018-08-07 6:57 ` Ard Biesheuvel
2018-08-07 6:57 ` Ard Biesheuvel
2018-08-07 6:57 ` Ard Biesheuvel
2018-09-04 4:55 ` Herbert Xu
2018-09-04 4:55 ` Herbert Xu
2018-09-04 4:55 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+_SqcDghOP_pBvmer_4AGHoQcWHYHF1=NAmYBDSf=K08z5RWA@mail.gmail.com' \
--to=paulcrowley@google.com \
--cc=Jason@zx2c4.com \
--cc=djb@cr.yp.to \
--cc=ebiggers@google.com \
--cc=ebiggers@kernel.org \
--cc=gkaiser@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=samuel.c.p.neves@gmail.com \
--cc=tomer.ashur@esat.kuleuven.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.