On Tue, 25 Jun 2019 at 16:07, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > On Mon, Jun 24, 2019 at 6:57 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > On Mon, Jun 24, 2019 at 09:38:12AM +0200, Ard Biesheuvel wrote: > > > Now that aegis128 has been announced as one of the winners of the CAESAR > > > competition, it's time to provide some better support for it on arm64 (and > > > 32-bit ARM *) > > > > > > This time, instead of cloning the generic driver twice and rewriting half > > > of it in arm64 and ARM assembly, add hooks for an accelerated SIMD path to > > > the generic driver, and populate it with a C version using NEON intrinsics > > > that can be built for both ARM and arm64. This results in a speedup of ~11x, > > > resulting in a performance of 2.2 cycles per byte on Cortex-A53. > > > > > > Patches #1 .. #3 are some fixes/improvements for the generic code. Patch #4 > > > adds the plumbing for using a SIMD accelerated implementation. Patch #5 > > > adds the ARM and arm64 code, and patch #6 adds a speed test. > > > > > > Note that aegis128l and aegis256 were not selected, and nor where any of the > > > morus contestants, and so we should probably consider dropping those drivers > > > again. > > > > > > > I'll also note that a few months ago there were attacks published on all > > versions of full MORUS, with only 2^76 data and time complexity > > (https://eprint.iacr.org/2019/172.pdf). So MORUS is cryptographically broken, > > and isn't really something that people should be using. Ondrej, are people > > actually using MORUS in the kernel? I understand that you added it for your > > Master's Thesis with the intent that it would be used with dm-integrity and > > dm-crypt, but it's not clear that people are actually doing that. > > AFAIK, the only (potential) users are dm-crypt/dm-integrity and > af_alg. I don't expect many (if any) users using it, but who knows... > I don't have any problem with MORUS being removed from crypto API. It > seems to be broken rather heavily... > OK, patch sent.