From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Subject: Re: [RFC PATCH v2 00/12] crypto: Adiantum support References: <20181015175424.97147-1-ebiggers@kernel.org> From: Tomer Ashur Message-ID: <2395454e-a0dc-408f-4138-9d15ab5f20b8@esat.kuleuven.be> Date: Mon, 22 Oct 2018 12:19:16 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="9ai7PlPRh0rVaoqg57mToYswWl1CqmkA8" To: Paul Crowley , Jason@zx2c4.com Cc: ebiggers@kernel.org, linux-crypto@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Herbert Xu , Greg Kaiser , Michael Halcrow , samuel.c.p.neves@gmail.com List-ID: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9ai7PlPRh0rVaoqg57mToYswWl1CqmkA8 Content-Type: multipart/mixed; boundary="Vrii3DnuM659TRJa8ZDF3dRbmeC5vWHNE"; protected-headers="v1" X-Kuleuven: This mail passed the K.U.Leuven mailcluster From: Tomer Ashur To: Paul Crowley , Jason@zx2c4.com Cc: ebiggers@kernel.org, linux-crypto@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Herbert Xu , Greg Kaiser , Michael Halcrow , samuel.c.p.neves@gmail.com Message-ID: <2395454e-a0dc-408f-4138-9d15ab5f20b8@esat.kuleuven.be> Subject: Re: [RFC PATCH v2 00/12] crypto: Adiantum support References: <20181015175424.97147-1-ebiggers@kernel.org> In-Reply-To: --Vrii3DnuM659TRJa8ZDF3dRbmeC5vWHNE Content-Type: text/html; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable

On 19-Oct-18 8:19 PM, Paul Crowley wrote:
I would prefer not to wait. Unlike a new primitive w=
hose strength can
only be known through attempts at cryptanalysis, Adiantum is a
construction based on
well-understood and trusted primitives; it is secure if the proof
accompanying it is correct. Given that (outside competitions or
standardization efforts) no-one ever issues public statements that
they think algorithms or proofs are good, what I'm expecting from
academia is silence :) The most we could hope for would be getting the
paper accepted at a conference, and we're pursuing that but there's a
good chance that won't happen simply because it's not very novel. It
basically takes existing ideas and applies them using a stream cipher
instead of a block cipher, and a faster hashing mode; it's also a
small update from HPolyC. I've had some private feedback that the
proof seems correct, and that's all I'm expecting to get.
I tend to agree with Paul on this point. This is a place where academia needs to improve. An attempt to do so is the Real World Crypto conference (RWC; https://rwc.iacr.org/2019/), but the deadline for submissions was October 1st. For HpolyC I asked a few people to take a look at the construction and the consensus was that it seems secure but that the proof style makes it hard to verify. I haven't had the time yet to read the Adiantum paper (and I'm not a provable security person anyway) but I suppose Paul took the comments he received on this into account and that's the best we can hope for. Academia simply moves in a different pace and has different incentives.

Tomer
--Vrii3DnuM659TRJa8ZDF3dRbmeC5vWHNE-- --9ai7PlPRh0rVaoqg57mToYswWl1CqmkA8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEAzRy0e5O0UZdzbNUni5oBnW4MLcFAlvNpCQACgkQni5oBnW4 MLcM7Af/ROPvDKB/ItX8lXjv0t52A7jJRt9NjWLsfRxsqUKl/gLJ2eE+d6wzgh+b 2IE7bZmFv/X2GO5v96YzBp/mrC2jun4gsvcHPPLFdaOw+VLx3KH+i9L/Qo/BM39E hlJCuuTl89cnqwnMyxcKho8k/Tdhm4nTPBfLIga6TyGKcNgTKuxdv2sLE+PYO+rS L1MDDftrCkhk8EQaA4m2kOoRBXmLKnTyOJjMoHPiIGSmKfUDlIJBsA2gO6yxd0N8 hKdB9HAnxfu+5YIcf7gTAeUa9Vg75IGwHGSkhokQJSyrkF/spSjltGeZ8A5meixD /tq3cZA6nc+gKzAONSFS72kKTWoHjA== =aU+E -----END PGP SIGNATURE----- --9ai7PlPRh0rVaoqg57mToYswWl1CqmkA8--