Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 16 Dec 2016 22:15:23 +0100
From: Hannes Frederic Sowa <>
To: "Jason A. Donenfeld" <>,, "Theodore Ts'o" <>,
 George Spelvin <>,
 Andi Kleen <>, David Miller <>,
 David Laight <>,
 "Daniel J . Bernstein" <>,
 Eric Biggers <>,
 "Jean-Philippe Aumasson" <>,
 Linux Crypto Mailing List <>,
 LKML <>,
 Andy Lutomirski <>, Netdev <>,
 Tom Herbert <>,
 Linus Torvalds <>,
 Vegard Nossum <>
Subject: Re: Re: [PATCH v5 1/4] siphash: add cryptographically
 secure PRF

On Fri, Dec 16, 2016, at 22:01, Jason A. Donenfeld wrote:
> Yes, on x86-64. But on i386 chacha20 incurs nearly the same kind of
> slowdown as siphash, so I expect the comparison to be more or less
> equal. There's another thing I really didn't like about your chacha20
> approach which is that it uses the /dev/urandom pool, which means
> various things need to kick in in the background to refill this.
> Additionally, having to refill the buffered chacha output every 32 or
> so longs isn't nice. These things together make for inconsistent and
> hard to understand general operating system performance, because
> get_random_long is called at every process startup for ASLR. So, in
> the end, I believe there's another reason for going with the siphash
> approach: deterministic performance.

*Hust*, so from where do you generate your key for siphash if called
early from ASLR?


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.