| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Feb 2020 07:56:04 +0000
From: "Van Leeuwen, Pascal" <pvanleeuwen@...bus.com>
To: Ken Goldman <kgold@...ux.ibm.com>
CC: "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 1/2] crypto: sm3 - add a new alias name sm3-256
> -----Original Message-----
> From: linux-crypto-owner@...r.kernel.org <linux-crypto-owner@...r.kernel.org> On Behalf Of Ken Goldman
> Sent: Monday, February 10, 2020 7:03 PM
> Cc: linux-crypto@...r.kernel.org; linux-integrity@...r.kernel.org; linux-security-module@...r.kernel.org; linux-
> kernel@...r.kernel.org
> Subject: Re: [PATCH 1/2] crypto: sm3 - add a new alias name sm3-256
>
> <<< External Email >>>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the
> sender/sender address and know the content is safe.
>
>
> On 2/10/2020 12:01 PM, Van Leeuwen, Pascal wrote:
> > Well, the current specification surely doesn't define anything else and is
> > already over a decade old. So what would be the odds that they add a
> > different blocksize variant_now_ AND still call that SM3-something?
>
> I just got a note from a cryptographer who said there were discussions
> last year about a future SM3 with 512 bit output.
>
> Given that, why not plan ahead and use sm3-256? Is there any downside?
> Is the cost any more than 4 bytes in some source code?
>
It is actually exported as "sm3" by all implementations, it's just this one reference that was off.
So fixing that one reference is less effort than fixing all implementations.
I don't think anyone cares about the 4 bytes of source code ...
As for SM3-512: that would by silly, considering recent attacks found against similar
Merkle-Darmgard structures. Then again, I'm not talking to Chinese cryptographers.
In any case, what would be the problem with having "sm3" and "sm3-512"?
Note that nobody in the world refers to the current SM3 as "SM3-256".
Regards,
Pascal van Leeuwen
Silicon IP Architect Multi-Protocol Engines, Rambus Security
Rambus ROTW Holding BV
+31-73 6581953
Note: The Inside Secure/Verimatrix Silicon IP team was recently acquired by Rambus.
Please be so kind to update your e-mail address book with my new e-mail address.
** This message and any attachments are for the sole use of the intended recipient(s). It may contain information that is confidential and privileged. If you are not the intended recipient of this message, you are prohibited from printing, copying, forwarding or saving it. Please delete the message and attachments and notify the sender immediately. **
Rambus Inc.<http://www.rambus.com>
Powered by blists - more mailing lists