On 16/04/19 08:58, Pascal Van Leeuwen wrote: >>> Besides that, they are in heavy practical use in mainland China, >>> usually as direct replacements for SHA2-256 and AES in whatever >>> protocol or use case you need: IPsec, TLS, WPA2, XTS for disk encryption, >>> you name it. >> >> How should that mean anything? > > Uhm ... no, the fact that something is actually *useful* to potentially > a billion plus people doesn't mean anything ... Useful does not mean secure, does it? PKZIP encryption was certainly useful back in the day, but it was not secure. >> I did educate myself a bit, but I'm not an expert in cryptography, so I >> would like to be sure that these are not another Speck or DUAL-EC-DRBG. > > Innocent until proven guilty mean anything to you? This is not a court of justice, it's a software project. For that matter "certainty beyond reasonable doubt" is not a thing either in this context. >> "SM2 is based on ECC(Elliptic Curve Cryptography), and uses a special >> curve" is enough for me to see warning signs, at least without further >> explanations, >> > The specification is public (if you can read Chinese, anyway), so open to > analysis. Either way, it's quite irrelevant to Chinese organisations that > HAVE to use SM2. And anyone else can just decide NOT to use it, you don't > even have to compile it into your kernel. It's called freedom. "Freedom" didn't apply when Speck was proposed for inclusion in Linux, and I would like to make sure I don't make a mistake when adding crypto interfaces. If SM2/3/4 were broken, I couldn't care less if someone HAS to use them, they can patch their kernel. But if they're not then I appreciate that you wrote to correct me, it's helpful. Please understand that 99% of the community has not ever heard of anything but SHA-{1,2,3}, ECDSA, Ed25519, AES. If somebody comes up with a patch with "strange" crypto, it's up to them to say that they are secure---and again, the key word is secure, not useful. Paolo >> and so does the fact that the initial SM3 values were >> changed from SHA-2 and AFAICT there is no public justification for >> that. >> > Actually, SM3 is an *improvement* on SHA-2, and there has been ample > analysis done on that to, in fact, confirm it's (slightly) better. > So there IS public justification. Don't shout if you don't know the > facts.