Thread (20 messages) 20 messages, 6 authors, 2018-05-07

[PATCH v2 0/5] crypto: Speck support

From: Jason@zx2c4.com (Jason A. Donenfeld)
Date: 2018-04-24 20:58:35
Also in: linux-crypto, linux-fscrypt

Hi Eric,

On Tue, Apr 24, 2018 at 8:16 PM, Eric Biggers [off-list ref] wrote:
So, what do you propose replacing it with?
Something more cryptographically justifiable.
outside crypto review, vs. the many cryptanalysis papers on Speck.  (In that
respect the controversy about Speck has actually become an advantage, as it has
received much more cryptanalysis than other lightweight block ciphers.)
That's the thing that worries me, actually. Many of the design
decisions behind Speck haven't been justified.
The reason we chose Speck had nothing to do with the proposed ISO standard or
any sociopolitical factors, but rather because it was the only algorithm we
could find that met the performance and security requirements.
Note that Linux
doesn't bow down to any particular standards organization, and it offers
algorithms that were specified in various places, even some with no more than a
publication by the author.  In fact, support for SM4 was just added too, which
is a Chinese government standard.  Are you going to send a patch to remove that
too, or is it just NSA designed algorithms that are not okay?
No need to be belittling; I have much less tinfoil strapped around my
head than perhaps you think. I'm not blindly opposed to
government-designed algorithms. Take SHA2, for example -- built by the
NSA.

But I do care quite a bit about using ciphers that have acceptance of
the academic community and a large body of literature documenting its
design decisions and analyzing it. Some of the best symmetric
cryptographers in academia have expressed reservations about it, and
it was just rejected from a major standard's body. Linux, of course,
is free to disagree -- or "bow down" as you oddly put it -- but I'd
make sure you've got a pretty large bucket of justifications for that
disagreement.
(in fact, you'd
probably have a different opinion of it if the authors had simply worked
somewhere else and published the exact same algorithm);
Again, no need to patronize. I don't actually have a bias like that.
But I hope you can understand that all *technical* indicators are that Speck is
secure enough
That's the thing I'm worried about.

Jason
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help