From: "Jason A. Donenfeld" <Jason@zx2c4.com> To: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Andy Lutomirski <luto@amacapital.net>, Netdev <netdev@vger.kernel.org>, "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com>, LKML <linux-kernel@vger.kernel.org>, Linux Crypto Mailing List <linux-crypto@vger.kernel.org>, David Laight <David.Laight@aculab.com>, Ted Tso <tytso@mit.edu>, Eric Dumazet <edumazet@google.com>, Linus Torvalds <torvalds@linux-foundation.org>, Eric Biggers <ebiggers3@gmail.com>, Tom Herbert <tom@herbertland.com>, Andi Kleen <ak@linux.intel.com>, "David S. Miller" <davem@davemloft.net>, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Subject: Re: [PATCH v7 3/6] random: use SipHash in place of MD5 Date: Thu, 22 Dec 2016 03:49:39 +0100 [thread overview] Message-ID: <CAHmME9phg=GuhEUaMxxv_=RexffPDqrOEhmaKffy_ZSt7bfC7g@mail.gmail.com> (raw) In-Reply-To: <17bd0c70-d2c1-165b-f5b2-252dfca404e8@stressinduktion.org> Hi Andy & Hannes, On Thu, Dec 22, 2016 at 3:07 AM, Hannes Frederic Sowa <hannes@stressinduktion.org> wrote: > I wonder if Ted's proposal was analyzed further in terms of performance > if get_random_int should provide cprng alike properties? > > For reference: https://lkml.org/lkml/2016/12/14/351 > > The proposal made sense to me and would completely solve the above > mentioned problem on the cost of repeatedly reseeding from the crng. On Thu, Dec 22, 2016 at 3:09 AM, Andy Lutomirski <luto@amacapital.net> wrote: > Unless I've misunderstood it, Ted's proposal causes get_random_int() > to return bytes straight from urandom (effectively), which should make > it very strong. And if urandom is competitively fast now, I don't see > the problem. ChaCha20 is designed for speed, after all. Funny -- while you guys were sending this back & forth, I was writing my reply to Andy which essentially arrives at the same conclusion. Given that we're all arriving to the same thing, and that Ted shot in this direction long before we all did, I'm leaning toward abandoning SipHash for the de-MD5-ification of get_random_int/long, and working on polishing Ted's idea into something shiny for this patchset. I did have two objections to this. The first was that my SipHash construction is faster. But in any case, they're both faster than the current MD5, so it's just extra rice. The second, and the more important one, was that batching entropy up like this means that 32 calls will be really fast, and then the 33rd will be slow, since it has to do a whole ChaCha round, because get_random_bytes must be called to refill the batch. Since get_random_long is called for every process startup, I didn't really like there being inconsistent performance on process startup. And I'm pretty sure that one ChaCha whole block is slower than computing MD5, even though it lasts 32 times as long, though I need to measure this. But maybe that's dumb in the end? Are these concerns that should point us toward the determinism (and speed) of SipHash? Are these concerns that don't matter and so we should roll with the simplicity of reusing ChaCha? Jason
WARNING: multiple messages have this Message-ID (diff)
From: "Jason A. Donenfeld" <Jason@zx2c4.com> To: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Andy Lutomirski <luto@amacapital.net>, Netdev <netdev@vger.kernel.org>, "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com>, LKML <linux-kernel@vger.kernel.org>, Linux Crypto Mailing List <linux-crypto@vger.kernel.org>, David Laight <David.Laight@aculab.com>, Ted Tso <tytso@mit.edu>, Eric Dumazet <edumazet@google.com>, Linus Torvalds <torvalds@linux-foundation.org>, Eric Biggers <ebiggers3@gmail.com>, Tom Herbert <tom@herbertland.com>, Andi Kleen <ak@linux.intel.com>, "David S. Miller" <davem@davemloft.net>, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Subject: [kernel-hardening] Re: [PATCH v7 3/6] random: use SipHash in place of MD5 Date: Thu, 22 Dec 2016 03:49:39 +0100 [thread overview] Message-ID: <CAHmME9phg=GuhEUaMxxv_=RexffPDqrOEhmaKffy_ZSt7bfC7g@mail.gmail.com> (raw) In-Reply-To: <17bd0c70-d2c1-165b-f5b2-252dfca404e8@stressinduktion.org> Hi Andy & Hannes, On Thu, Dec 22, 2016 at 3:07 AM, Hannes Frederic Sowa <hannes@stressinduktion.org> wrote: > I wonder if Ted's proposal was analyzed further in terms of performance > if get_random_int should provide cprng alike properties? > > For reference: https://lkml.org/lkml/2016/12/14/351 > > The proposal made sense to me and would completely solve the above > mentioned problem on the cost of repeatedly reseeding from the crng. On Thu, Dec 22, 2016 at 3:09 AM, Andy Lutomirski <luto@amacapital.net> wrote: > Unless I've misunderstood it, Ted's proposal causes get_random_int() > to return bytes straight from urandom (effectively), which should make > it very strong. And if urandom is competitively fast now, I don't see > the problem. ChaCha20 is designed for speed, after all. Funny -- while you guys were sending this back & forth, I was writing my reply to Andy which essentially arrives at the same conclusion. Given that we're all arriving to the same thing, and that Ted shot in this direction long before we all did, I'm leaning toward abandoning SipHash for the de-MD5-ification of get_random_int/long, and working on polishing Ted's idea into something shiny for this patchset. I did have two objections to this. The first was that my SipHash construction is faster. But in any case, they're both faster than the current MD5, so it's just extra rice. The second, and the more important one, was that batching entropy up like this means that 32 calls will be really fast, and then the 33rd will be slow, since it has to do a whole ChaCha round, because get_random_bytes must be called to refill the batch. Since get_random_long is called for every process startup, I didn't really like there being inconsistent performance on process startup. And I'm pretty sure that one ChaCha whole block is slower than computing MD5, even though it lasts 32 times as long, though I need to measure this. But maybe that's dumb in the end? Are these concerns that should point us toward the determinism (and speed) of SipHash? Are these concerns that don't matter and so we should roll with the simplicity of reusing ChaCha? Jason
next prev parent reply other threads:[~2016-12-22 2:49 UTC|newest] Thread overview: 179+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-12-15 20:29 [PATCH v5 0/4] The SipHash Patchset Jason A. Donenfeld 2016-12-15 20:29 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-15 20:30 ` [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-15 22:42 ` George Spelvin 2016-12-15 22:42 ` [kernel-hardening] " George Spelvin 2016-12-15 23:00 ` Jean-Philippe Aumasson 2016-12-15 23:00 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-15 23:28 ` George Spelvin 2016-12-15 23:28 ` [kernel-hardening] " George Spelvin 2016-12-16 17:06 ` David Laight 2016-12-16 17:06 ` [kernel-hardening] " David Laight 2016-12-16 17:06 ` David Laight 2016-12-16 17:09 ` Jason A. Donenfeld 2016-12-16 17:09 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 17:09 ` Jason A. Donenfeld 2016-12-16 3:46 ` George Spelvin 2016-12-16 3:46 ` [kernel-hardening] " George Spelvin 2016-12-16 8:08 ` Jean-Philippe Aumasson 2016-12-16 8:08 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-16 12:39 ` Jason A. Donenfeld 2016-12-16 12:39 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 13:22 ` Jean-Philippe Aumasson 2016-12-16 13:22 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-16 15:51 ` Jason A. Donenfeld 2016-12-16 15:51 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 17:36 ` George Spelvin 2016-12-16 17:36 ` [kernel-hardening] " George Spelvin 2016-12-16 18:00 ` Jason A. Donenfeld 2016-12-16 18:00 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 20:17 ` George Spelvin 2016-12-16 20:17 ` [kernel-hardening] " George Spelvin 2016-12-16 20:43 ` Theodore Ts'o 2016-12-16 20:43 ` [kernel-hardening] " Theodore Ts'o 2016-12-16 22:13 ` George Spelvin 2016-12-16 22:13 ` [kernel-hardening] " George Spelvin 2016-12-16 22:15 ` Andy Lutomirski 2016-12-16 22:15 ` [kernel-hardening] " Andy Lutomirski 2016-12-16 22:15 ` Andy Lutomirski 2016-12-16 22:18 ` Jason A. Donenfeld 2016-12-16 22:18 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 23:44 ` George Spelvin 2016-12-16 23:44 ` [kernel-hardening] " George Spelvin 2016-12-17 1:39 ` Jason A. Donenfeld 2016-12-17 1:39 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-17 2:15 ` George Spelvin 2016-12-17 2:15 ` [kernel-hardening] " George Spelvin 2016-12-17 15:41 ` Theodore Ts'o 2016-12-17 15:41 ` [kernel-hardening] " Theodore Ts'o 2016-12-17 16:14 ` Jeffrey Walton 2016-12-17 16:14 ` [kernel-hardening] " Jeffrey Walton 2016-12-19 17:21 ` Jason A. Donenfeld 2016-12-17 12:42 ` George Spelvin 2016-12-17 12:42 ` [kernel-hardening] " George Spelvin 2016-12-16 20:39 ` Jason A. Donenfeld 2016-12-16 20:39 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 19:47 ` Tom Herbert 2016-12-16 19:47 ` [kernel-hardening] " Tom Herbert 2016-12-16 20:41 ` George Spelvin 2016-12-16 20:41 ` [kernel-hardening] " George Spelvin 2016-12-16 20:57 ` Tom Herbert 2016-12-16 20:57 ` [kernel-hardening] " Tom Herbert 2016-12-16 20:44 ` Daniel Micay 2016-12-16 20:44 ` [kernel-hardening] " Daniel Micay 2016-12-16 21:09 ` Jason A. Donenfeld 2016-12-17 15:21 ` George Spelvin 2016-12-17 15:21 ` [kernel-hardening] " George Spelvin 2016-12-19 14:14 ` David Laight 2016-12-19 14:14 ` [kernel-hardening] " David Laight 2016-12-19 14:14 ` David Laight 2016-12-19 18:10 ` George Spelvin 2016-12-19 18:10 ` [kernel-hardening] " George Spelvin 2016-12-19 20:18 ` Jean-Philippe Aumasson 2016-12-19 20:18 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-16 2:14 ` kbuild test robot 2016-12-16 2:14 ` [kernel-hardening] " kbuild test robot 2016-12-17 14:55 ` Jeffrey Walton 2016-12-17 14:55 ` [kernel-hardening] " Jeffrey Walton 2016-12-19 17:08 ` Jason A. Donenfeld 2016-12-19 17:08 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-19 17:19 ` Jean-Philippe Aumasson 2016-12-19 17:19 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-15 20:30 ` [PATCH v5 2/4] siphash: add Nu{32,64} helpers Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 10:39 ` David Laight 2016-12-16 10:39 ` [kernel-hardening] " David Laight 2016-12-16 10:39 ` David Laight 2016-12-16 15:44 ` George Spelvin 2016-12-16 15:44 ` [kernel-hardening] " George Spelvin 2016-12-15 20:30 ` [PATCH v5 3/4] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 9:59 ` David Laight 2016-12-16 9:59 ` [kernel-hardening] " David Laight 2016-12-16 9:59 ` David Laight 2016-12-16 15:57 ` Jason A. Donenfeld 2016-12-16 15:57 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 15:57 ` Jason A. Donenfeld 2016-12-15 20:30 ` [PATCH v5 4/4] random: " Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 0/5] The SipHash Patchset Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 1/5] siphash: add cryptographically secure PRF Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 2/5] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 3/5] random: " Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 21:31 ` Andy Lutomirski 2016-12-16 21:31 ` [kernel-hardening] " Andy Lutomirski 2016-12-16 21:31 ` Andy Lutomirski 2016-12-16 3:03 ` [PATCH v6 4/5] md5: remove from lib and only live in crypto Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 5/5] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 0/6] The SipHash Patchset Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 1/6] siphash: add cryptographically secure PRF Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 1:40 ` Stephen Hemminger 2016-12-22 1:40 ` [kernel-hardening] " Stephen Hemminger 2016-12-21 23:02 ` [PATCH v7 2/6] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 3/6] random: " Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:13 ` Jason A. Donenfeld 2016-12-21 23:13 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:42 ` Andy Lutomirski 2016-12-21 23:42 ` [kernel-hardening] " Andy Lutomirski 2016-12-21 23:42 ` Andy Lutomirski 2016-12-22 2:07 ` Hannes Frederic Sowa 2016-12-22 2:07 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 2:07 ` Hannes Frederic Sowa 2016-12-22 2:09 ` Andy Lutomirski 2016-12-22 2:09 ` [kernel-hardening] " Andy Lutomirski 2016-12-22 2:09 ` Andy Lutomirski 2016-12-22 2:49 ` Jason A. Donenfeld [this message] 2016-12-22 2:49 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 2:49 ` Jason A. Donenfeld 2016-12-22 3:12 ` Jason A. Donenfeld 2016-12-22 3:12 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 3:12 ` Jason A. Donenfeld 2016-12-22 5:41 ` Theodore Ts'o 2016-12-22 5:41 ` [kernel-hardening] " Theodore Ts'o 2016-12-22 6:03 ` Jason A. Donenfeld 2016-12-22 15:58 ` Theodore Ts'o 2016-12-22 15:58 ` [kernel-hardening] " Theodore Ts'o 2016-12-22 16:16 ` Jason A. Donenfeld 2016-12-22 16:16 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 16:30 ` Theodore Ts'o 2016-12-22 16:36 ` Jason A. Donenfeld 2016-12-22 12:47 ` Hannes Frederic Sowa 2016-12-22 12:47 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 13:10 ` Jason A. Donenfeld 2016-12-22 15:05 ` Hannes Frederic Sowa 2016-12-22 15:12 ` Jason A. Donenfeld 2016-12-22 15:29 ` Jason A. Donenfeld 2016-12-22 15:33 ` Hannes Frederic Sowa 2016-12-22 15:33 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 15:41 ` Jason A. Donenfeld 2016-12-22 15:51 ` Hannes Frederic Sowa 2016-12-22 15:51 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 15:53 ` Jason A. Donenfeld 2016-12-22 15:54 ` Theodore Ts'o 2016-12-22 15:54 ` [kernel-hardening] " Theodore Ts'o 2016-12-22 18:08 ` Hannes Frederic Sowa 2016-12-22 18:13 ` Jason A. Donenfeld 2016-12-22 18:13 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 19:50 ` Theodore Ts'o 2016-12-22 2:31 ` Jason A. Donenfeld 2016-12-22 2:31 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 2:31 ` Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 4/6] md5: remove from lib and only live in crypto Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 5/6] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 6/6] siphash: implement HalfSipHash1-3 for hash tables Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 0:46 ` Andi Kleen 2016-12-22 0:46 ` [kernel-hardening] " Andi Kleen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAHmME9phg=GuhEUaMxxv_=RexffPDqrOEhmaKffy_ZSt7bfC7g@mail.gmail.com' \ --to=jason@zx2c4.com \ --cc=David.Laight@aculab.com \ --cc=ak@linux.intel.com \ --cc=davem@davemloft.net \ --cc=ebiggers3@gmail.com \ --cc=edumazet@google.com \ --cc=hannes@stressinduktion.org \ --cc=jeanphilippe.aumasson@gmail.com \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=netdev@vger.kernel.org \ --cc=tom@herbertland.com \ --cc=torvalds@linux-foundation.org \ --cc=tytso@mit.edu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.