Re: [PATCH 0/6] crypto: aegis128 - add NEON intrinsics version for ARM/arm64

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 25 Jun 2019 at 16:07, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> On Mon, Jun 24, 2019 at 6:57 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> > On Mon, Jun 24, 2019 at 09:38:12AM +0200, Ard Biesheuvel wrote:
> > > Now that aegis128 has been announced as one of the winners of the CAESAR
> > > competition, it's time to provide some better support for it on arm64 (and
> > > 32-bit ARM *)
> > >
> > > This time, instead of cloning the generic driver twice and rewriting half
> > > of it in arm64 and ARM assembly, add hooks for an accelerated SIMD path to
> > > the generic driver, and populate it with a C version using NEON intrinsics
> > > that can be built for both ARM and arm64. This results in a speedup of ~11x,
> > > resulting in a performance of 2.2 cycles per byte on Cortex-A53.
> > >
> > > Patches #1 .. #3 are some fixes/improvements for the generic code. Patch #4
> > > adds the plumbing for using a SIMD accelerated implementation. Patch #5
> > > adds the ARM and arm64 code, and patch #6 adds a speed test.
> > >
> > > Note that aegis128l and aegis256 were not selected, and nor where any of the
> > > morus contestants, and so we should probably consider dropping those drivers
> > > again.
> > >
> >
> > I'll also note that a few months ago there were attacks published on all
> > versions of full MORUS, with only 2^76 data and time complexity
> > (https://eprint.iacr.org/2019/172.pdf).  So MORUS is cryptographically broken,
> > and isn't really something that people should be using.  Ondrej, are people
> > actually using MORUS in the kernel?  I understand that you added it for your
> > Master's Thesis with the intent that it would be used with dm-integrity and
> > dm-crypt, but it's not clear that people are actually doing that.
>
> AFAIK, the only (potential) users are dm-crypt/dm-integrity and
> af_alg. I don't expect many (if any) users using it, but who knows...
> I don't have any problem with MORUS being removed from crypto API. It
> seems to be broken rather heavily...
>

OK, patch sent.



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux