Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2738987imu;
        Sun, 13 Jan 2019 08:56:13 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7ClkwSiC5ycesCT3cbiwv6aTv2xo4n/zhIz9un6FsGE84DR87SL+s9OdOctArh2vMKxHKT
X-Received: by 2002:a63:1258:: with SMTP id 24mr19832614pgs.114.1547398573859;
        Sun, 13 Jan 2019 08:56:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547398573; cv=none;
        d=google.com; s=arc-20160816;
        b=aqhL540RadklvjB9FWnMsJYyjN6yyTEkB64dg4tnkcN0QH7PV2bbTBsch4CD6z0Qnm
         rB1AQlSqOGji5n8b1QEA6nlNeUg1cujcB7UkoCDkyr01xV2dw8wd/apvwlKzREivsDKO
         ylkiI2aCWQ4Yk81xzCrlCmEGEBx9YaS4sMAM2v9NBMW4gek2Eudz7Urj+eEvPSSlBthL
         ag5+d8/bbmu6j+4tHqWO+L7NlLMzRNV5XXRVME5SoKQlerxxhyen9OjW8vFBc1r1CN3n
         CfxTCrYxdNfGSYigPQgAu4Jyrn9GetgmT0F0YozgAj98KxXETtTLioGWVbcOp56aFAGD
         oU/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature;
        bh=okvoSKNInEcq5ZuwVTUBwwb7mTzNwWzxszDMzSJlZ/Q=;
        b=EJuKLfcXYSTREOjcLrm1VoivykioOmg+oKzA+WP+zFhcCaEVmUEiPq8Gcm9FRGdcQD
         ZPWS0jgHA3wcnqGDm7qtUHY1eCRMji+57hmCgJdrqZXUH1wtN3bF1ELLEGehb1fFI8qp
         dCE4IPyrli9DFxXLNdKGb/O6hWskee2CWZELM6wZ/FCCmB+2WeVWG9//zTOLu5Q1YSFU
         s3j/Bp4azqjO9upxDJYxB3P5xDPst4xOV0DVLe5ske/DCat9O2jw1pWYVMAz/RL1rDKm
         aDcM2x+vvCY3vuqEy8fELrqbi+izcDPVSQp27Ib4++vQK0HPhjwfG8+25FuKcYvEKu8p
         RErw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=i4vN6VPI;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h16si76813159pgj.203.2019.01.13.08.55.58;
        Sun, 13 Jan 2019 08:56:13 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=i4vN6VPI;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726788AbfAMQw0 (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Sun, 13 Jan 2019 11:52:26 -0500
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:39502 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726596AbfAMQw0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 13 Jan 2019 11:52:26 -0500
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id 06B128EE335;
        Sun, 13 Jan 2019 08:52:25 -0800 (PST)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id OzwZyar6r92n; Sun, 13 Jan 2019 08:52:24 -0800 (PST)
Received: from [153.66.254.242] (unknown [50.35.68.20])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id CC5578EE31D;
        Sun, 13 Jan 2019 08:52:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
        s=20151216; t=1547398344;
        bh=97Lr8uEcWLYZCfQ65MhD1fQLYDaPb+MVY/qOho5BHrk=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=i4vN6VPILuvlJrcNcY5cbZgiEzT4vGensEQ8uH+ALRauU3TvJTNmRl/WlRyLqNoRG
         rgkpR/W2mQWSIKc5keILKgkKPXCe3OWm6JRgFq2EKQeW434jbpBvF4qRV8Uwlhy+Kh
         VmwJbDdTZz4ZXzvriF/i6t8V5ipF4dQ9qvYM5NRg=
Message-ID: <1547398342.4409.3.camel@HansenPartnership.com>
Subject: Re: [PATCH 4/6] crypto: hkdf - RFC5869 Key Derivation Function
From:   James Bottomley <James.Bottomley@HansenPartnership.com>
To:     Stephan =?ISO-8859-1?Q?M=FCller?= <smueller@chronox.de>,
        Herbert Xu <herbert@gondor.apana.org.au>
Cc:     Eric Biggers <ebiggers@kernel.org>,
        Andy Lutomirski <luto@amacapital.net>,
        "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
        "Rafael J . Wysocki" <rjw@rjwysocki.net>,
        Pavel Machek <pavel@ucw.cz>, linux-kernel@vger.kernel.org,
        linux-pm@vger.kernel.org, keyrings@vger.kernel.org,
        "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
        Chen Yu <yu.c.chen@intel.com>,
        Oliver Neukum <oneukum@suse.com>,
        Ryan Chen <yu.chen.surf@gmail.com>,
        David Howells <dhowells@redhat.com>,
        Giovanni Gherdovich <ggherdovich@suse.cz>,
        Randy Dunlap <rdunlap@infradead.org>,
        Jann Horn <jannh@google.com>,
        Andy Lutomirski <luto@kernel.org>, linux-crypto@vger.kernel.org
Date:   Sun, 13 Jan 2019 08:52:22 -0800
In-Reply-To: <9795894.APlZEWIbOH@positron.chronox.de>
References: <20190103143227.9138-1-jlee@suse.com>
         <20190112051252.GA639@sol.localdomain>
         <20190112095535.36rh3ptnrf7yxacv@gondor.apana.org.au>
         <9795894.APlZEWIbOH@positron.chronox.de>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.22.6 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, 2019-01-13 at 08:56 +0100, Stephan Müller wrote:
> The question may arise why to plug the KDFs into RNGs. The answer is
> quite simple: KDFs are a form of random number generator. In that
> they take some input for initialization (aka seed, salt, key,
> personalization string). Then they produce pseudo-random bit
> sequences of arbitrary length. Possibly the generation operation can
> be modified by providing some additional input to be used by the
> generation process (aka label, context, info string, additional 
> information string). Thus, the RNG interface is a natural fit for the
> KDFs.

Philosophically, that's quite wrong.  KDFs are a class of pseudorandom
functions (PRFs).  PRFs are designed so that the output is
indistinguishable from a random number generator to observers who don't
know the input but is deterministically useful for participants who do.
 That means the're definitely not RNGs they're functions whose output
is designed to look like the output of an RNG.

I suppose the mathematical thing that distinguishes PRFs and RNGs is
entropy: PRFs have zero entropy because given the same inputs you
expect the same output. Now whether it makes sense to use the RNG API
or not I'll leave that up to the crypto people.  I would have expected
any cryptographic RNG API to be mostly about entropy management (the
Linux core internal one certainly is), but it appears that the one in
crypto isn't.

James