On Fri, Dec 16, 2016, at 22:01, Jason A. Donenfeld wrote: > Yes, on x86-64. But on i386 chacha20 incurs nearly the same kind of > slowdown as siphash, so I expect the comparison to be more or less > equal. There's another thing I really didn't like about your chacha20 > approach which is that it uses the /dev/urandom pool, which means > various things need to kick in in the background to refill this. > Additionally, having to refill the buffered chacha output every 32 or > so longs isn't nice. These things together make for inconsistent and > hard to understand general operating system performance, because > get_random_long is called at every process startup for ASLR. So, in > the end, I believe there's another reason for going with the siphash > approach: deterministic performance. *Hust*, so from where do you generate your key for siphash if called early from ASLR? Bye, Hannes -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
