lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHmME9pDHLXUdovYNPkFzOVecPmyq_bKxW9MDB5WHrsHv_o_4g@mail.gmail.com>
Date:   Thu, 20 Jan 2022 22:53:58 +0100
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     "Theodore Ts'o" <tytso@....edu>
Cc:     LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] random: use named fields for adjusting chacha state

Hi Ted,

On Thu, Jan 20, 2022 at 6:50 PM Theodore Ts'o <tytso@....edu> wrote:
> This change means that we're only initializing the key, but we're not
> initializing the counter/nonce (well, IV) value.  Could you fix this,
> please?

Right, as I mentioned in the commit message, this was the point. I'll
understand if you don't want to make this change, but the idea is that
indeed we make the nonce and counter values start at zero. This is
what's done in the original "fast key erasure" chacha rng [1,2] and
openbsd's arc4random [3]. And it seems sensible, in that we're not
really getting anything from having a 384-bit key over a 256-bit one.
It's not actually a meaningful reduction in security, and it
simplifies analysis by having the key rows used explicitly for keys
and the public rows used explicitly for public-ish values. It's always
scary to do seemingly _less_, and you could argue that these fields
are fine as input for a little additional pizzazz, so why not? If
that's your perspective, I can understand, and I'm not wedded to
changing it like this. On the other hand, if you agree it doesn't
change things cryptographically, and it simplifies the analysis, then
we can make the change. Either way works for me.

Jason

[1] http://blog.cr.yp.to/20170723-random.html
[2] https://github.com/jedisct1/supercop/blob/master/crypto_rng/chacha20/ref/rng.c
[3] https://github.com/openbsd/src/blob/master/lib/libc/crypt/arc4random.c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ