On 26/06/2019 09:15, Ard Biesheuvel wrote: > Thanks for the insight. So I guess we have consensus that MORUS should > be removed. How about aegis128l and aegis256, which have been > disregarded in favor of aegis128 by CAESAR (note that I sent an > accelerated ARM/arm64 version of aegis128 based on the ARMv8 crypto > instructions, in case you missed it) Well, there are similar cases, see that Serpent supports many keysizes, even 0-length key (!), despite the AES finalists were proposed only for 128/192/256 bit keys. (It happened to us several times during tests that apparent mistype in Serpent key length was accepted by the kernel...) (Maybe the cleanup should continue? :-) Dunno, for me, I think the generic implementation could stay there. Milan