[PATCH v2 0/5] crypto: Speck support
From: Jason@zx2c4.com (Jason A. Donenfeld)
Date: 2018-04-24 20:58:35
Also in:
linux-crypto, linux-fscrypt
Hi Eric, On Tue, Apr 24, 2018 at 8:16 PM, Eric Biggers [off-list ref] wrote:
So, what do you propose replacing it with?
Something more cryptographically justifiable.
outside crypto review, vs. the many cryptanalysis papers on Speck. (In that respect the controversy about Speck has actually become an advantage, as it has received much more cryptanalysis than other lightweight block ciphers.)
That's the thing that worries me, actually. Many of the design decisions behind Speck haven't been justified.
The reason we chose Speck had nothing to do with the proposed ISO standard or any sociopolitical factors, but rather because it was the only algorithm we could find that met the performance and security requirements.
Note that Linux doesn't bow down to any particular standards organization, and it offers algorithms that were specified in various places, even some with no more than a publication by the author. In fact, support for SM4 was just added too, which is a Chinese government standard. Are you going to send a patch to remove that too, or is it just NSA designed algorithms that are not okay?
No need to be belittling; I have much less tinfoil strapped around my head than perhaps you think. I'm not blindly opposed to government-designed algorithms. Take SHA2, for example -- built by the NSA. But I do care quite a bit about using ciphers that have acceptance of the academic community and a large body of literature documenting its design decisions and analyzing it. Some of the best symmetric cryptographers in academia have expressed reservations about it, and it was just rejected from a major standard's body. Linux, of course, is free to disagree -- or "bow down" as you oddly put it -- but I'd make sure you've got a pretty large bucket of justifications for that disagreement.
(in fact, you'd probably have a different opinion of it if the authors had simply worked somewhere else and published the exact same algorithm);
Again, no need to patronize. I don't actually have a bias like that.
But I hope you can understand that all *technical* indicators are that Speck is secure enough
That's the thing I'm worried about. Jason