Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp2506365ima;
        Mon, 22 Oct 2018 10:52:42 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61DVFdH/O4d6BAU4GnuooMA6MZblARCk8+u/iBbiz/fMiObxdM632rbFQ5EvNI8GgHHn8hh
X-Received: by 2002:a62:184a:: with SMTP id 71-v6mr46415347pfy.246.1540230762686;
        Mon, 22 Oct 2018 10:52:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540230762; cv=none;
        d=google.com; s=arc-20160816;
        b=rtgqtRogkP0O4aPK+lzjdpu7sBnjNgffCMc0Dp5Yv4R4Yn5aaTgrlTr6Q71SFnVM4M
         2aMNmWzBvZwgpIWahY1X9KJwC5slPobihqOv2GiQkz5dKBQA2/d5k1QKeGbPAZwFTTnh
         2Kgv902QUgRE949OHXZMpVGr5DypcqkLqYXP6du54XWNNYG+4UQPpIG7R/yLVXe9+uvv
         wFElsa7E5Ae90XBQDiv94eqAoymD1Uzk8IlNSqyNZZP/5bq0AroOaH0+ZY/i2PA+VCrX
         00zz2NSV/8tuOjIIaJXGS/Y9tI/CcoE/t+tqmIeuhXleAoaQDE0dWxRSrIUDegk0oV1g
         Ywtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=bkVUa1+/MOC7iuiS+1j+AH2HYD9X3AuCffRP/Nwy2Fo=;
        b=Bo83BLzYvxBVO2M3Vkoqf05K+79vf3OVScpn748itqIPkSwlg/gw/nwdAoO/5CaWbE
         SXjngAADr8roIi/OB5v63bwuzKfFn62P4TPczbsXdtj/aTL7kS4yAS3eSBm1eP6Ow38l
         bjhH4poeoda/ss51iLH7nYNb3dyP9n8wuRuA5pOOFJFnVy93oV8Ee32HrwabcgaBGZth
         rYPTSKjipSc105va3G3cJbHAx00vDyDSdUOoWR2zKVYIr+ya6dJf3Grx7CNeVWuufLV1
         3jKmt4l+2V6U2JxlW+FaF2ORbzvRl7gn4+gM8OUmNg97BqfrqRYQVtuIw7iSowStXclU
         PMxg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=dx8sTZEG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p33-v6si35664019pld.57.2018.10.22.10.52.27;
        Mon, 22 Oct 2018 10:52:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=dx8sTZEG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728712AbeJWBhB (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 22 Oct 2018 21:37:01 -0400
Received: from mail-it1-f194.google.com ([209.85.166.194]:33425 "EHLO
        mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728649AbeJWBhB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Oct 2018 21:37:01 -0400
Received: by mail-it1-f194.google.com with SMTP id h6-v6so10310716ith.0
        for <linux-kernel@vger.kernel.org>; Mon, 22 Oct 2018 10:17:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=bkVUa1+/MOC7iuiS+1j+AH2HYD9X3AuCffRP/Nwy2Fo=;
        b=dx8sTZEGIRKm+BTzwFM+f6woS1a4+OEKFgHjIgwUvzHFRosfoEDj4TgYXQBPBCYskj
         mQbltjbwl7VoAcPKYVyqKmfZmYNqZH4oZO/ohpT3GpkJ5RABR7QuGK+3PsqnNME8Rg3D
         81MAeegGE/BrmsniA1gvQoejbp/izimKjjIwE+mowYj/jayWO4AK4nuqNERncuDBxXIs
         i7ZJCTMh1EgXF/5scvPgKFctxv8ZhXwbH8G1teqgwNRa48K29D8DZUneeSvkfnNaJ9IN
         zbsxituU2a5BMtG032CZgtf10YHPewH7dCiRDN2SamebwSS22wPTHanlyP19DN3wMdQi
         dFEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=bkVUa1+/MOC7iuiS+1j+AH2HYD9X3AuCffRP/Nwy2Fo=;
        b=qOQWxlScwe/89h9VVTsinSITnBXn/njMa7NNw/xbYFm+snPbznDG1gpqGGZrufFRLu
         VFBMzeYwRI1u/khAmSlx2EDggKjWS0PSNDTMm/O9jpAZsRHiVIej8RPy9JtnC2NNC7Zw
         YJeQpz4Ya94CYSyVMajfqgThjgpQQha00YJMxqgPIUYwpNvgo0kBGHO7dK1ZeuygHRRP
         CscJ1CsaenrrHHC4LGW/jODh7HoPN8s54siDBMVVxxkhjlK2VnINTKE3RJvYzN5vC/c6
         FmiHhBKmi3YTJ4X8AgeyN4gSliCdUYbvKBmnrleimq2TRorKl7x0If+RBes/TDoWVBWW
         WX8w==
X-Gm-Message-State: ABuFfojXE+fI7qBZLov+bkwR4mf67Se5A2Gu8YNDs3CgYbOevWXk19mF
        gccI+JXyvKjINc5pPmOdwM14JkH6d45tN5EhZVjUmg==
X-Received: by 2002:a05:660c:383:: with SMTP id x3mr9261447itj.121.1540228658018;
 Mon, 22 Oct 2018 10:17:38 -0700 (PDT)
MIME-Version: 1.0
References: <20181015175424.97147-1-ebiggers@kernel.org> <CAHmME9p1aiqWZ4+viaLscO8+qmixdVhMA1MAtMAFEHPG36DcPg@mail.gmail.com>
 <20181019190411.GB246441@gmail.com> <20181021222341.GA742@sol.localdomain> <CAHmME9oEQVTJ0xB+dpi8MKxohRfdogqnV+bN63EWTaoS5dE6Pw@mail.gmail.com>
In-Reply-To: <CAHmME9oEQVTJ0xB+dpi8MKxohRfdogqnV+bN63EWTaoS5dE6Pw@mail.gmail.com>
From:   Paul Crowley <paulcrowley@google.com>
Date:   Mon, 22 Oct 2018 10:17:26 -0700
Message-ID: <CA+_SqcCBRgJVneAKbxTr0kY1gF9skbxME=ZdKbQLztDca_ri+Q@mail.gmail.com>
Subject: Re: [RFC PATCH v2 00/12] crypto: Adiantum support
To:     Jason@zx2c4.com
Cc:     ebiggers@kernel.org, linux-crypto@vger.kernel.org,
        linux-fscrypt@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Greg Kaiser <gkaiser@google.com>,
        Michael Halcrow <mhalcrow@google.com>,
        samuel.c.p.neves@gmail.com, tomer.ashur@esat.kuleuven.be
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, 21 Oct 2018 at 15:52, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > [1] Originally we were going to define Adiantum's hash function to be
> >     Poly1305(message_length || tweak_length || tweak || NH(message)), which
> >     would have made it desirable to export the Poly1305 state before NH, so that
> >     it could be imported for the second hash step to avoid redundantly hashing
> >     the message length and tweak.  But later we changed it to
> >     Poly1305(message_length || tweak) + Poly1305(NH(message)).
>
> Out of curiosity, why this change?

With the old system, Eric ended up implementing a function which took
"message_length || tweak_length || tweak || message" as input and
*parsed out* the lengths in the first 16 bytes to know when to start
applying NH. That struck me as not nice at all, and we worked together
to design something that fitted more naturally into the way that
crypto is done in the kernel.

With this change, the part that can be kept in common between the two
hashing stages is cleanly separated from the part that will be
different, and the Poly1305(NH(message)) construction is a relatively
clean thing by itself to be part of the Linux kernel, though by itself
it is only epsilon-almost-delta-universal over equal-length inputs so
it has to be combined with something else to handle varying-length
inputs. This is not too dissimilar from the caveats around GHASH which
is also part of the kernel.