Re: Should we consider removing Streebog from the Linux Kernel?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Theodore,

On Mon, Mar 25, 2019 at 12:45:50AM -0400, Theodore Ts'o wrote:
> Given the precedent that has been established for removing the SPECK

As far as I know Speck is removed because:

| commit 578bdaabd015b9b164842c3e8ace9802f38e7ecc
| Author: Jason A. Donenfeld <Jason@xxxxxxxxx>
| Date:   Tue Aug 7 08:22:25 2018 +0200
|
|   crypto: speck - remove Speck
|
|   These are unused, undesired, and have never actually been used by
|   anybody. The original authors of this code have changed their mind about
|   its inclusion. While originally proposed for disk encryption on low-end
|   devices, the idea was discarded [1] in favor of something else before
|   that could really get going. Therefore, this patch removes Speck.
|
|   [1] https://marc.info/?l=linux-crypto-vger&m=153359499015659

None of these arguments apply to Streebog.

Thanks,


> cipher from the kernel, I wonder if we should be removing Streebog on
> the same basis, in light of the following work:
> 
> 	https://who.paris.inria.fr/Leo.Perrin/pi.html
> 	https://tosc.iacr.org/index.php/ToSC/article/view/7405
> 
> Regards,
> 
> 						- Ted
> 
> -----------
> 
> >From the Cryptography mailing list on metzdowd.com:
> 
> From: "perrin.leo@xxxxxxxxx" <perrin.leo@xxxxxxxxx>
> Subject: [Cryptography] New Results on the Russian S-box
> 
> Hello everyone,
> 
> I have recently sent an e-mail to the CFRG mailing list about my results
> on the S-box shared by both of the latest Russian standards in symmetric
> crypto and I have been told that it might interest the subscribers of
> this mailing list.
> 
> In a paper that I am about to present at the Fast Software Encryption
> conference, I describe what I claim to be the structure used by the
> S-box of the hash function Streebog and the block cipher Kuznyechik.
> Their authors never disclosed their design process---and in fact claimed
> that it was generated randomly. I established that it is not the case.
> More worryingly, the structure they used has a very strong algebraic
> structure which, in my opinion, demands a renewed security analysis in
> its light. Overall, I would not recommend using these algorithms until
> their designers have provided satisfactory explanations about their
> S-box choice.



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux