Thread (8 messages) 8 messages, 4 authors, 2017-12-11

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

From: Martin Willi <hidden>
Date: 2017-12-11 07:48:00
Also in: linux-crypto, linux-f2fs-devel, linux-fscrypt, linux-fsdevel 

Hi,

Anyway, I actually thought it was intentional that the ChaCha
implementations in the Linux kernel allowed specifying the block
counter, and therefore allowed seeking to any point in the keystream,
exposing the full functionality of the cipher.
If I remember correctly, it was indeed intentional. When building the
chacha20poly1305 AEAD both in [1] and [2], a block counter of 0 is used
to generate the Poly1305 key. For the ChaCha20 encryption, an explicit
initial block counter of 1 is used to avoid reusing the same counter.

Maybe it would be possible to implement this with implicit counters,
but doing this explicitly looked much clearer to me. So I guess there
are use cases for explicit block counters in ChaCha20.

Best regards
Martin

[1] https://tools.ietf.org/html/rfc7539#section-2.8
[2] https://tools.ietf.org/html/rfc7634#section-2

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help