From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Biggers <ebiggers@google.com>
Cc: Jeffrey Walton <noloader@gmail.com>,
Greg Kaiser <gkaiser@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Michael Halcrow <mhalcrow@google.com>,
tashur@esat.kuleuven.be, Patrik Torstensson <totte@google.com>,
Alex Cope <alexcope@google.com>,
Paul Lawrence <paullawrence@google.com>,
linux-fscrypt@vger.kernel.org,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-arm-kernel@lists.infradead.org,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [PATCH v2 0/5] crypto: Speck support
Date: Tue, 24 Apr 2018 22:58:35 +0200 [thread overview]
Message-ID: <CAHmME9qG+nPmj5c7hU4+STUsmWmwSBsKe-0mOLEXH+hJ1z4z=g@mail.gmail.com> (raw)
In-Reply-To: <20180424181623.GA174675@google.com>
Hi Eric,
On Tue, Apr 24, 2018 at 8:16 PM, Eric Biggers <ebiggers@google.com> wrote:
> So, what do you propose replacing it with?
Something more cryptographically justifiable.
> outside crypto review, vs. the many cryptanalysis papers on Speck. (In that
> respect the controversy about Speck has actually become an advantage, as it has
> received much more cryptanalysis than other lightweight block ciphers.)
That's the thing that worries me, actually. Many of the design
decisions behind Speck haven't been justified.
> The reason we chose Speck had nothing to do with the proposed ISO standard or
> any sociopolitical factors, but rather because it was the only algorithm we
> could find that met the performance and security requirements.
> Note that Linux
> doesn't bow down to any particular standards organization, and it offers
> algorithms that were specified in various places, even some with no more than a
> publication by the author. In fact, support for SM4 was just added too, which
> is a Chinese government standard. Are you going to send a patch to remove that
> too, or is it just NSA designed algorithms that are not okay?
No need to be belittling; I have much less tinfoil strapped around my
head than perhaps you think. I'm not blindly opposed to
government-designed algorithms. Take SHA2, for example -- built by the
NSA.
But I do care quite a bit about using ciphers that have acceptance of
the academic community and a large body of literature documenting its
design decisions and analyzing it. Some of the best symmetric
cryptographers in academia have expressed reservations about it, and
it was just rejected from a major standard's body. Linux, of course,
is free to disagree -- or "bow down" as you oddly put it -- but I'd
make sure you've got a pretty large bucket of justifications for that
disagreement.
> (in fact, you'd
> probably have a different opinion of it if the authors had simply worked
> somewhere else and published the exact same algorithm);
Again, no need to patronize. I don't actually have a bias like that.
> But I hope you can understand that all *technical* indicators are that Speck is
> secure enough
That's the thing I'm worried about.
Jason
WARNING: multiple messages have this Message-ID (diff)
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Biggers <ebiggers@google.com>
Cc: Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-fscrypt@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeffrey Walton <noloader@gmail.com>,
Paul Crowley <paulcrowley@google.com>,
Patrik Torstensson <totte@google.com>,
Greg Kaiser <gkaiser@google.com>,
Paul Lawrence <paullawrence@google.com>,
Michael Halcrow <mhalcrow@google.com>,
Alex Cope <alexcope@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
tashur@esat.kuleuven.be
Subject: Re: [PATCH v2 0/5] crypto: Speck support
Date: Tue, 24 Apr 2018 22:58:35 +0200 [thread overview]
Message-ID: <CAHmME9qG+nPmj5c7hU4+STUsmWmwSBsKe-0mOLEXH+hJ1z4z=g@mail.gmail.com> (raw)
In-Reply-To: <20180424181623.GA174675@google.com>
Hi Eric,
On Tue, Apr 24, 2018 at 8:16 PM, Eric Biggers <ebiggers@google.com> wrote:
> So, what do you propose replacing it with?
Something more cryptographically justifiable.
> outside crypto review, vs. the many cryptanalysis papers on Speck. (In that
> respect the controversy about Speck has actually become an advantage, as it has
> received much more cryptanalysis than other lightweight block ciphers.)
That's the thing that worries me, actually. Many of the design
decisions behind Speck haven't been justified.
> The reason we chose Speck had nothing to do with the proposed ISO standard or
> any sociopolitical factors, but rather because it was the only algorithm we
> could find that met the performance and security requirements.
> Note that Linux
> doesn't bow down to any particular standards organization, and it offers
> algorithms that were specified in various places, even some with no more than a
> publication by the author. In fact, support for SM4 was just added too, which
> is a Chinese government standard. Are you going to send a patch to remove that
> too, or is it just NSA designed algorithms that are not okay?
No need to be belittling; I have much less tinfoil strapped around my
head than perhaps you think. I'm not blindly opposed to
government-designed algorithms. Take SHA2, for example -- built by the
NSA.
But I do care quite a bit about using ciphers that have acceptance of
the academic community and a large body of literature documenting its
design decisions and analyzing it. Some of the best symmetric
cryptographers in academia have expressed reservations about it, and
it was just rejected from a major standard's body. Linux, of course,
is free to disagree -- or "bow down" as you oddly put it -- but I'd
make sure you've got a pretty large bucket of justifications for that
disagreement.
> (in fact, you'd
> probably have a different opinion of it if the authors had simply worked
> somewhere else and published the exact same algorithm);
Again, no need to patronize. I don't actually have a bias like that.
> But I hope you can understand that all *technical* indicators are that Speck is
> secure enough
That's the thing I'm worried about.
Jason
WARNING: multiple messages have this Message-ID (diff)
From: Jason@zx2c4.com (Jason A. Donenfeld)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 0/5] crypto: Speck support
Date: Tue, 24 Apr 2018 22:58:35 +0200 [thread overview]
Message-ID: <CAHmME9qG+nPmj5c7hU4+STUsmWmwSBsKe-0mOLEXH+hJ1z4z=g@mail.gmail.com> (raw)
In-Reply-To: <20180424181623.GA174675@google.com>
Hi Eric,
On Tue, Apr 24, 2018 at 8:16 PM, Eric Biggers <ebiggers@google.com> wrote:
> So, what do you propose replacing it with?
Something more cryptographically justifiable.
> outside crypto review, vs. the many cryptanalysis papers on Speck. (In that
> respect the controversy about Speck has actually become an advantage, as it has
> received much more cryptanalysis than other lightweight block ciphers.)
That's the thing that worries me, actually. Many of the design
decisions behind Speck haven't been justified.
> The reason we chose Speck had nothing to do with the proposed ISO standard or
> any sociopolitical factors, but rather because it was the only algorithm we
> could find that met the performance and security requirements.
> Note that Linux
> doesn't bow down to any particular standards organization, and it offers
> algorithms that were specified in various places, even some with no more than a
> publication by the author. In fact, support for SM4 was just added too, which
> is a Chinese government standard. Are you going to send a patch to remove that
> too, or is it just NSA designed algorithms that are not okay?
No need to be belittling; I have much less tinfoil strapped around my
head than perhaps you think. I'm not blindly opposed to
government-designed algorithms. Take SHA2, for example -- built by the
NSA.
But I do care quite a bit about using ciphers that have acceptance of
the academic community and a large body of literature documenting its
design decisions and analyzing it. Some of the best symmetric
cryptographers in academia have expressed reservations about it, and
it was just rejected from a major standard's body. Linux, of course,
is free to disagree -- or "bow down" as you oddly put it -- but I'd
make sure you've got a pretty large bucket of justifications for that
disagreement.
> (in fact, you'd
> probably have a different opinion of it if the authors had simply worked
> somewhere else and published the exact same algorithm);
Again, no need to patronize. I don't actually have a bias like that.
> But I hope you can understand that all *technical* indicators are that Speck is
> secure enough
That's the thing I'm worried about.
Jason
next prev parent reply other threads:[~2018-04-24 20:58 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-12 23:52 [PATCH v2 0/5] crypto: Speck support Eric Biggers
2018-02-12 23:52 ` Eric Biggers
2018-02-12 23:52 ` [PATCH v2 1/5] crypto: add support for the Speck block cipher Eric Biggers
2018-02-12 23:52 ` Eric Biggers
2018-02-12 23:52 ` [PATCH v2 2/5] crypto: speck - export common helpers Eric Biggers
2018-02-12 23:52 ` Eric Biggers
2018-02-12 23:52 ` [PATCH v2 3/5] crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS Eric Biggers
2018-02-12 23:52 ` Eric Biggers
2018-02-13 11:34 ` Ard Biesheuvel
2018-02-13 11:34 ` Ard Biesheuvel
2018-02-13 18:57 ` Eric Biggers
2018-02-13 18:57 ` Eric Biggers
2018-02-13 19:04 ` Ard Biesheuvel
2018-02-13 19:04 ` Ard Biesheuvel
2018-02-13 19:04 ` Ard Biesheuvel
2018-02-12 23:52 ` [PATCH v2 4/5] crypto: speck - add test vectors for Speck128-XTS Eric Biggers
2018-02-12 23:52 ` Eric Biggers
2018-02-12 23:52 ` [PATCH v2 5/5] crypto: speck - add test vectors for Speck64-XTS Eric Biggers
2018-02-12 23:52 ` Eric Biggers
2018-04-24 16:11 ` [PATCH v2 0/5] crypto: Speck support Jason A. Donenfeld
2018-04-24 16:11 ` Jason A. Donenfeld
2018-04-24 16:11 ` Jason A. Donenfeld
2018-04-24 18:16 ` Eric Biggers
2018-04-24 18:16 ` Eric Biggers
2018-04-24 18:16 ` Eric Biggers
2018-04-24 20:58 ` Jason A. Donenfeld [this message]
2018-04-24 20:58 ` Jason A. Donenfeld
2018-04-24 20:58 ` Jason A. Donenfeld
2018-04-24 21:58 ` Paul Crowley
2018-04-24 21:58 ` Paul Crowley
2018-04-24 21:58 ` Paul Crowley
2018-04-24 22:47 ` Eric Biggers
2018-04-24 22:47 ` Eric Biggers
2018-04-24 22:47 ` Eric Biggers
2018-04-25 14:33 ` Samuel Neves
2018-04-25 14:33 ` Samuel Neves
2018-04-25 14:33 ` Samuel Neves
2018-04-25 19:49 ` Eric Biggers
2018-04-25 19:49 ` Eric Biggers
2018-04-25 19:49 ` Eric Biggers
2018-04-26 2:05 ` Samuel Neves
2018-04-26 2:05 ` Samuel Neves
2018-04-26 2:05 ` Samuel Neves
2018-04-26 16:30 ` Paul Crowley
2018-04-26 16:30 ` Paul Crowley
2018-04-26 16:30 ` Paul Crowley
2018-05-07 23:20 ` Eric Biggers
2018-05-07 23:20 ` Eric Biggers
2018-05-07 23:20 ` Eric Biggers
2018-04-25 5:30 ` Theodore Y. Ts'o
2018-04-24 22:43 ` Jeffrey Walton
2018-04-24 22:43 ` Jeffrey Walton
2018-04-24 22:43 ` Jeffrey Walton
[not found] <8c9dc804-1f59-a245-57ba-51db3c234621@esat.kuleuven.be>
2018-06-01 19:23 ` Tomer Ashur
2018-06-01 19:23 ` Tomer Ashur
2018-06-01 19:23 ` Tomer Ashur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9qG+nPmj5c7hU4+STUsmWmwSBsKe-0mOLEXH+hJ1z4z=g@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=alexcope@google.com \
--cc=ard.biesheuvel@linaro.org \
--cc=ebiggers@google.com \
--cc=gkaiser@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=noloader@gmail.com \
--cc=paulcrowley@google.com \
--cc=paullawrence@google.com \
--cc=tashur@esat.kuleuven.be \
--cc=totte@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.