Date: Fri, 16 Dec 2016 22:15:23 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: "Jason A. Donenfeld" <Jason@...c4.com>, kernel-hardening@...ts.openwall.com, "Theodore Ts'o" <tytso@....edu>, George Spelvin <linux@...encehorizons.net>, Andi Kleen <ak@...ux.intel.com>, David Miller <davem@...emloft.net>, David Laight <David.Laight@...lab.com>, "Daniel J . Bernstein" <djb@...yp.to>, Eric Biggers <ebiggers3@...il.com>, "Jean-Philippe Aumasson" <jeanphilippe.aumasson@...il.com>, Linux Crypto Mailing List <linux-crypto@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, Andy Lutomirski <luto@...capital.net>, Netdev <netdev@...r.kernel.org>, Tom Herbert <tom@...bertland.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Vegard Nossum <vegard.nossum@...il.com> Subject: Re: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF On Fri, Dec 16, 2016, at 22:01, Jason A. Donenfeld wrote: > Yes, on x86-64. But on i386 chacha20 incurs nearly the same kind of > slowdown as siphash, so I expect the comparison to be more or less > equal. There's another thing I really didn't like about your chacha20 > approach which is that it uses the /dev/urandom pool, which means > various things need to kick in in the background to refill this. > Additionally, having to refill the buffered chacha output every 32 or > so longs isn't nice. These things together make for inconsistent and > hard to understand general operating system performance, because > get_random_long is called at every process startup for ASLR. So, in > the end, I believe there's another reason for going with the siphash > approach: deterministic performance. *Hust*, so from where do you generate your key for siphash if called early from ASLR? Bye, Hannes
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.