Re: [PATCH v8 13/20] fscrypt: v2 encryption policy support

replacement for v1 policies. > > (*) Actually, in the API fscrypt_policy::version is 0 while on-disk > fscrypt_context::format is 1. But I believe it makes the most sense > to advance both to '2' to have them be in sync, and to consider the > numbering to start at 1 except for the API quirk. > > Signed-off-by: Eric Biggers Looks good, feel free to add: Reviewed-by: Paul Crowley

Re: [PATCH v8 12/20] fscrypt: add an HKDF-SHA512 implementation

cryption, which is currently being worked on. > > HKDF solves all the above problems. > > Reviewed-by: Theodore Ts'o > Signed-off-by: Eric Biggers Looks good, feel free to add: Reviewed-by: Paul Crowley

Re: [RFC PATCH v2 00/12] crypto: Adiantum support

On Sun, 21 Oct 2018 at 15:52, Jason A. Donenfeld wrote: > > [1] Originally we were going to define Adiantum's hash function to be > > Poly1305(message_length || tweak_length || tweak || NH(message)), which > > would have made it desirable to export the Poly1305 state before NH, so > > tha

Re: [RFC PATCH v2 00/12] crypto: Adiantum support

On Fri, 19 Oct 2018 at 08:58, Jason A. Donenfeld wrote: > Before merging this into the kernel, do you want to wait until you've > received some public review from academia? I would prefer not to wait. Unlike a new primitive whose strength can only be known through attempts at cryptanalysis, Adian

Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds

be worrying about it for IoT devices. On Mon, 6 Aug 2018 at 17:15, Jason A. Donenfeld wrote: > > Hi Paul, > > On 8/6/18, Paul Crowley wrote: > > Salsa20 was one of the earlier ARX proposals, and set a very > > conservative number of rounds as befits our state of

Re: [RFC PATCH 3/9] crypto: chacha20-generic - refactor to allow varying number of rounds

Salsa20 was one of the earlier ARX proposals, and set a very conservative number of rounds as befits our state of knowledge at the time. Since then we've learned a lot more about cryptanalysis of such offerings, and I think we can be comfortable with fewer rounds. The best attack on ChaCha breaks 7

Re: [PATCH v2 0/5] crypto: Speck support

> Oh, OK, that sounds like something resembling Naor-Reingold or its > relatives. That would work, but with 3 or 4 passes I guess it wouldn't > be very fast. It most resembles HCH mode https://eprint.iacr.org/2007/028 using two passes of Poly1305, one pass of ChaCha20, and one invocation of a 128-

Re: [PATCH v2 0/5] crypto: Speck support

On Tue, 24 Apr 2018 at 13:58, Jason A. Donenfeld wrote: > On Tue, Apr 24, 2018 at 8:16 PM, Eric Biggers wrote: > > So, what do you propose replacing it with? > Something more cryptographically justifiable. I'm keen to hear recommendations here, if there are options we should be considering I'd