Re: [PATCH 0/6] crypto: aegis128 - add NEON intrinsics version for ARM/arm64

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 24, 2019 at 6:57 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> On Mon, Jun 24, 2019 at 09:38:12AM +0200, Ard Biesheuvel wrote:
> > Now that aegis128 has been announced as one of the winners of the CAESAR
> > competition, it's time to provide some better support for it on arm64 (and
> > 32-bit ARM *)
> >
> > This time, instead of cloning the generic driver twice and rewriting half
> > of it in arm64 and ARM assembly, add hooks for an accelerated SIMD path to
> > the generic driver, and populate it with a C version using NEON intrinsics
> > that can be built for both ARM and arm64. This results in a speedup of ~11x,
> > resulting in a performance of 2.2 cycles per byte on Cortex-A53.
> >
> > Patches #1 .. #3 are some fixes/improvements for the generic code. Patch #4
> > adds the plumbing for using a SIMD accelerated implementation. Patch #5
> > adds the ARM and arm64 code, and patch #6 adds a speed test.
> >
> > Note that aegis128l and aegis256 were not selected, and nor where any of the
> > morus contestants, and so we should probably consider dropping those drivers
> > again.
> >
>
> I'll also note that a few months ago there were attacks published on all
> versions of full MORUS, with only 2^76 data and time complexity
> (https://eprint.iacr.org/2019/172.pdf).  So MORUS is cryptographically broken,
> and isn't really something that people should be using.  Ondrej, are people
> actually using MORUS in the kernel?  I understand that you added it for your
> Master's Thesis with the intent that it would be used with dm-integrity and
> dm-crypt, but it's not clear that people are actually doing that.

AFAIK, the only (potential) users are dm-crypt/dm-integrity and
af_alg. I don't expect many (if any) users using it, but who knows...
I don't have any problem with MORUS being removed from crypto API. It
seems to be broken rather heavily...

>
> In any case we could consider dropping the assembly implementations, though.
>
> - Eric

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux