[oss-gost-crypto] Fwd: Re: Should we consider removing Streebog from the Linux Kernel?

[Vitaly Chikunov <vt@altlinux.org>]

FYI

----- Forwarded message from Eric Biggers <ebiggers@kernel.org> -----

Date: Sun, 31 Mar 2019 15:43:30 -0700
From: Eric Biggers <ebiggers@kernel.org>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Theodore Ts'o <tytso@mit.edu>, "Jason A. Donenfeld" <Jason@zx2c4.com>, herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org
Subject: Re: Should we consider removing Streebog from the Linux Kernel?
User-Agent: Mutt/1.11.4 (2019-03-13)

Hi Vitaly,

On Mon, Mar 25, 2019 at 09:00:41AM +0300, Vitaly Chikunov wrote:
> Theodore,
> 
> On Mon, Mar 25, 2019 at 12:45:50AM -0400, Theodore Ts'o wrote:
> > Given the precedent that has been established for removing the SPECK
> 
> As far as I know Speck is removed because:
> 
> | commit 578bdaabd015b9b164842c3e8ace9802f38e7ecc
> | Author: Jason A. Donenfeld <Jason@zx2c4.com>
> | Date:   Tue Aug 7 08:22:25 2018 +0200
> |
> |   crypto: speck - remove Speck
> |
> |   These are unused, undesired, and have never actually been used by
> |   anybody. The original authors of this code have changed their mind about
> |   its inclusion. While originally proposed for disk encryption on low-end
> |   devices, the idea was discarded [1] in favor of something else before
> |   that could really get going. Therefore, this patch removes Speck.
> |
> |   [1] https://marc.info/?l=linux-crypto-vger&m=153359499015659
> 
> None of these arguments apply to Streebog.
> 
> Thanks,
> 
> 
> > cipher from the kernel, I wonder if we should be removing Streebog on
> > the same basis, in light of the following work:
> > 
> > 	https://who.paris.inria.fr/Leo.Perrin/pi.html
> > 	https://tosc.iacr.org/index.php/ToSC/article/view/7405
> > 
> > Regards,
> > 
> > 						- Ted
> > 
> > -----------
> > 
> > >From the Cryptography mailing list on metzdowd.com:
> > 
> > From: "perrin.leo@gmail.com" <perrin.leo@gmail.com>
> > Subject: [Cryptography] New Results on the Russian S-box
> > 
> > Hello everyone,
> > 
> > I have recently sent an e-mail to the CFRG mailing list about my results
> > on the S-box shared by both of the latest Russian standards in symmetric
> > crypto and I have been told that it might interest the subscribers of
> > this mailing list.
> > 
> > In a paper that I am about to present at the Fast Software Encryption
> > conference, I describe what I claim to be the structure used by the
> > S-box of the hash function Streebog and the block cipher Kuznyechik.
> > Their authors never disclosed their design process---and in fact claimed
> > that it was generated randomly. I established that it is not the case.
> > More worryingly, the structure they used has a very strong algebraic
> > structure which, in my opinion, demands a renewed security analysis in
> > its light. Overall, I would not recommend using these algorithms until
> > their designers have provided satisfactory explanations about their
> > S-box choice.

Can you elaborate on why you want to use Streebog?  When we added Speck, we
explained in great detail why it was useful from a technical perspective (before
Adiantum was ready).  I don't see any such explanation for Streebog.

- Eric

----- End forwarded message -----