Documentation: siphash: disambiguate HalfSipHash algorithm from hsiphash functions

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Fix the documentation for the hsiphash functions to avoid conflating the
HalfSipHash algorithm with the hsiphash functions, since these functions
actually implement either HalfSipHash or SipHash, and random.c now uses
HalfSipHash (in a very special way) without the hsiphash functions.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

authored by

Eric Biggers and committed by

Jason A. Donenfeld 4 years ago 5a7e470e 2fbfeb4f

+22 -12

1 changed file

expand all

Documentation

security

siphash.rst

+22 -12

Documentation/security/siphash.rst

··· 121 121 instead of SipHash's 128-bit key. However, this may appeal to some 122 122 high-performance `jhash` users. 123 123 124 + HalfSipHash support is provided through the "hsiphash" family of functions. 125 + 124 126 .. warning:: 125 - Do not ever use HalfSipHash except for as a hashtable key function, and 126 - only then when you can be absolutely certain that the outputs will never 127 - be transmitted out of the kernel. This is only remotely useful over 128 - `jhash` as a means of mitigating hashtable flooding denial of service 127 + Do not ever use the hsiphash functions except for as a hashtable key 128 + function, and only then when you can be absolutely certain that the outputs 129 + will never be transmitted out of the kernel. This is only remotely useful 130 + over `jhash` as a means of mitigating hashtable flooding denial of service 129 131 attacks. 130 132 131 - Generating a HalfSipHash key 132 - ============================ 133 + On 64-bit kernels, the hsiphash functions actually implement SipHash-1-3, a 134 + reduced-round variant of SipHash, instead of HalfSipHash-1-3. This is because in 135 + 64-bit code, SipHash-1-3 is no slower than HalfSipHash-1-3, and can be faster. 136 + Note, this does *not* mean that in 64-bit kernels the hsiphash functions are the 137 + same as the siphash ones, or that they are secure; the hsiphash functions still 138 + use a less secure reduced-round algorithm and truncate their outputs to 32 139 + bits. 140 + 141 + Generating a hsiphash key 142 + ========================= 133 143 134 144 Keys should always be generated from a cryptographically secure source of 135 145 random numbers, either using get_random_bytes or get_random_once:: ··· 149 139 150 140 If you're not deriving your key from here, you're doing it wrong. 151 141 152 - Using the HalfSipHash functions 153 - =============================== 142 + Using the hsiphash functions 143 + ============================ 154 144 155 145 There are two variants of the function, one that takes a list of integers, and 156 146 one that takes a buffer:: ··· 193 183 Performance 194 184 =========== 195 185 196 - HalfSipHash is roughly 3 times slower than JenkinsHash. For many replacements, 197 - this will not be a problem, as the hashtable lookup isn't the bottleneck. And 198 - in general, this is probably a good sacrifice to make for the security and DoS 199 - resistance of HalfSipHash. 186 + hsiphash() is roughly 3 times slower than jhash(). For many replacements, this 187 + will not be a problem, as the hashtable lookup isn't the bottleneck. And in 188 + general, this is probably a good sacrifice to make for the security and DoS 189 + resistance of hsiphash().