Eric, On Sun, Mar 31, 2019 at 03:43:30PM -0700, Eric Biggers wrote: > On Mon, Mar 25, 2019 at 09:00:41AM +0300, Vitaly Chikunov wrote: > > Theodore, > > > > On Mon, Mar 25, 2019 at 12:45:50AM -0400, Theodore Ts'o wrote: > > > Given the precedent that has been established for removing the SPECK > > > > As far as I know Speck is removed because: > > > > | commit 578bdaabd015b9b164842c3e8ace9802f38e7ecc > > | Author: Jason A. Donenfeld <Jason@xxxxxxxxx> > > | Date: Tue Aug 7 08:22:25 2018 +0200 > > | > > | crypto: speck - remove Speck > > | > > | These are unused, undesired, and have never actually been used by > > | anybody. The original authors of this code have changed their mind about > > | its inclusion. While originally proposed for disk encryption on low-end > > | devices, the idea was discarded [1] in favor of something else before > > | that could really get going. Therefore, this patch removes Speck. > > | > > | [1] https://marc.info/?l=linux-crypto-vger&m=153359499015659 > > > > None of these arguments apply to Streebog. > > > > Thanks, > > > > > > > cipher from the kernel, I wonder if we should be removing Streebog on > > > the same basis, in light of the following work: > > > > > > https://who.paris.inria.fr/Leo.Perrin/pi.html > > > https://tosc.iacr.org/index.php/ToSC/article/view/7405 > > > > > > Regards, > > > > > > - Ted > > > > > > ----------- > > > > > > >From the Cryptography mailing list on metzdowd.com: > > > > > > From: "perrin.leo@xxxxxxxxx" <perrin.leo@xxxxxxxxx> > > > Subject: [Cryptography] New Results on the Russian S-box > > > > > > Hello everyone, > > > > > > I have recently sent an e-mail to the CFRG mailing list about my results > > > on the S-box shared by both of the latest Russian standards in symmetric > > > crypto and I have been told that it might interest the subscribers of > > > this mailing list. > > > > > > In a paper that I am about to present at the Fast Software Encryption > > > conference, I describe what I claim to be the structure used by the > > > S-box of the hash function Streebog and the block cipher Kuznyechik. > > > Their authors never disclosed their design process---and in fact claimed > > > that it was generated randomly. I established that it is not the case. > > > More worryingly, the structure they used has a very strong algebraic > > > structure which, in my opinion, demands a renewed security analysis in > > > its light. Overall, I would not recommend using these algorithms until > > > their designers have provided satisfactory explanations about their > > > S-box choice. > > Can you elaborate on why you want to use Streebog? When we added Speck, we > explained in great detail why it was useful from a technical perspective (before > Adiantum was ready). I don't see any such explanation for Streebog. Our users demand that file integrity is implemented using their national standard algorithm. Thanks,
