Hi Eric, On Thu, Apr 21, 2022 at 10:44 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > -Danger! > +**Danger!** HalfSipHash should only be used in a very limited set of use cases > +where nothing better is possible, namely: > > -Do not ever use HalfSipHash except for as a hashtable key function, and only > -then when you can be absolutely certain that the outputs will never be > -transmitted out of the kernel. This is only remotely useful over `jhash` as a > -means of mitigating hashtable flooding denial of service attacks. > +- Hashtable key functions, where the outputs will never be transmitted out of > + the kernel. This is only remotely useful over `jhash` as a means of mitigating > + hashtable flooding denial of service attacks. I think we should actually drop this chunk of the patch. You wrote in your commit message, "HalfSipHash-1-3 is not entirely limited to hashtable functions, with it now being used in the interrupt entropy accumulator." But in fact, random.c uses HalfSipHash-1, with no three round finalization (since we use BLAKE2s for that). So it's not _quite_ the same thing. If it were, we could have gotten away by just calling the actual hsiphash function, but instead it's just applying the round function as a permutation. If you feel strongly that somebody might accidentally copy and paste that after grepping for halfsiphash and trying to figure out how to use it, I suppose we could keep this. But it strikes me as very much not the same thing as the hsiphash_* family of functions. Jason
