Re: [PATCH] crypto: morus - remove generic and x86 implementations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



, On Wed, Jun 26, 2019 at 8:40 AM Milan Broz <gmazyland@xxxxxxxxx> wrote:
>
> On 26/06/2019 09:15, Ard Biesheuvel wrote:
>
> > Thanks for the insight. So I guess we have consensus that MORUS should
> > be removed. How about aegis128l and aegis256, which have been
> > disregarded in favor of aegis128 by CAESAR (note that I sent an
> > accelerated ARM/arm64 version of aegis128 based on the ARMv8 crypto
> > instructions, in case you missed it)
>
> Well, there are similar cases, see that Serpent supports many keysizes, even 0-length key (!),
> despite the AES finalists were proposed only for 128/192/256 bit keys.
> (It happened to us several times during tests that apparent mistype in Serpent key length
> was accepted by the kernel...)

I'm not sure the Serpent case is comparable. In Serpent, the key can
be any size below 256 bits, but internally the key is simply padded to
256 bits and the algorithm is fundamentally the same. There are no
speed differences between different keys sizes.

On the other hand, AEGIS128, AEGIS256, and AEGIS128L are different
algorithms, with different state sizes and state update functions. The
existing cryptanalysis of AEGIS consists solely of [1] (which is the
paper that directly inspired the MORUS cryptanalysis), which does not
look at AEGIS128L at all. In effect, to my knowledge there are no
known cryptanalytic results on AEGIS128L, which I imagine to be one of
the main reasons why it did not end up in the CAESAR portfolio. But
AEGIS128L is by far the fastest option, and a user is probably going
to be naturally tempted to use it instead of the other variants.

[1] https://eprint.iacr.org/2018/292



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux