Hacker News new | ask | show | jobs
by espadrine 1630 days ago
The title mentions performance, but it is not the primary motivation AFAICT. It is only mentioned to say “it is not slower”.

The main concern was security, so it makes sense to use BLAKE2, which benefits from existing cryptanalysis of the ChaCha20 permutation, which is already used in the RNG for number generation.

(And it makes sense to use BLAKE2s in particular, to support non-64-bit systems without penalty.)

Using a single hash (instead of picking one at runtime) simplifies the attack surface IMO.
1 comments
tptacek 1630 days ago
The argument here is that many (most?) Linux systems have access to a hardware SHA2, which is equally secure (in this setting) but faster. Attacks on SHA2 or Blake2 (really, of SHA1, for that matter) aren't how viable real-world attackers on the LKRNG are going to happen. It's good to see SHA1 getting swept away for other reasons though!
link
loeg 1630 days ago
Do most Intel (and by extension, Linux) machines have SHA2, though? I think it’s a pretty recent extension and at least initially, they were only shipping it in their low-end embedded models.
link
Kubuxu 1630 days ago
Most Intel processors don't have the extension, it is only Goldmont (low power) and 10th gen and up.

All AMD Zen processors have the extension.

link
tptacek 1630 days ago
See, what do I know. Definitely not "most".
link
garmaine 1630 days ago
Are you sure? I haven’t been able to buy a CPU that doesn’t have SHA2 acceleration for an number of years now.
link
erik 1630 days ago
> I haven’t been able to buy a CPU that doesn’t have SHA2 acceleration for an number of years now.

This is incorrect. Intel only launched their 11th gen desktop processors March 30, 2021. The 10th gen and earlier desktop processors do not have the SHA instructions. You can still buy a new i9-10900k from Newegg today.

(Note that 10th gen Intel mobile/laptop processors are a different micro-architecture, and do support SHA.)

Edit: Perhaps you're thinking of the AES instructions? They've been around a lot longer.

link
garmaine 1630 days ago
I think I am. Thanks for the correction.
link
blihp 1630 days ago
The argument that not all CPUs running Linux have hardware SHA2 is valid, and therefore can't be assumed. However saying because one (even a significant one... though it's arguable it hasn't been the majority for a while) doesn't and therefore it shouldn't be used seems shortsighted at best. For decades various minority features have been enabled in the Linux kernel. Since when is lowest common denominator the desirable target to utilize exclusively?
link
loeg 1630 days ago
I am not making the argument you're rebutting. I was only responding to this claim:

> The argument here is that many (most?) Linux systems have access to a hardware SHA2

link