Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1351189pxb;
        Fri, 21 Jan 2022 16:13:13 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxBEflTKNT8VkQ2meIRl/c/upRbGKVnrdHv9x4gFshjVYNCQXiyxEpV9Yb9Zrd8axrKQJym
X-Received: by 2002:a63:b50d:: with SMTP id y13mr4497772pge.286.1642810393446;
        Fri, 21 Jan 2022 16:13:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642810393; cv=none;
        d=google.com; s=arc-20160816;
        b=nMwbmCISZcCE1p/MOhFwtwc/AxAwskGHIsJoJmZqHsOzJtancrj1Oz919kWVqtv9Fz
         u3TSNPQ6o+weNxenvBVANC5sMwjEKk13jVYc03/R1RmbJUX9FC/2dPjqqHMNZBdCMWp0
         RD3KodZ3JprrHUrZYZzaOstuh2znandmOHe9NBlgjpU2Ivn2BI+prdhufo2R7kcy+R8v
         Q0iA2OcEf01CYZ7qPcD1/ql/+lGg7VqxwJImRJdj9kK2Enn3F/IZux4MCYxyzyjp8b9L
         DRJPYYIN09v3zMwW7bJoxKnhbgs0NUEdvUHZ8OZ7KFlLMXkZuukfzJaQjGRLorXwRpuK
         ubYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=lokLTpWksCE0MydRUXeENjWpAFOTxKNvajfwP8CuTh8=;
        b=EB/+iaSpSmh37HJnMbrdjwmnLGDuOo76nAMCZeYuLihowkLM7LCB/4hsCx8it1DOVn
         mJSwe4bohqMNBqc5bqqnXYzakOaTPcicZGNjDVJZhAIFlkMqxOui4z/jU/WKoXrFWpVL
         bGzyXmZH4YoBQd9FITa6I8n7INx5eJnqusjzsMuFrCMiL7aFVZtJE1pSGLYCcBcXqqNi
         uU5vzakV/x7cQcRYQ+Bu31BS24nLPw1SN5gthoBaZKy312M6VSa8F+1eQEwbHHHv1sPb
         dNaey1vCmgSB9vgB9SjSleHtWsElhsxgYZ0ItdBaGK48Yo2aXyzjb0hkbUqeaatA5C6p
         xh7g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=YGNRMuE1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 189si1466403pfv.295.2022.01.21.16.13.01;
        Fri, 21 Jan 2022 16:13:13 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=YGNRMuE1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347651AbiATVyT (ORCPT <rfc822;stevenley.huang@gmail.com>
        + 99 others); Thu, 20 Jan 2022 16:54:19 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49006 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231373AbiATVyS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 Jan 2022 16:54:18 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C49BAC061574
        for <linux-kernel@vger.kernel.org>; Thu, 20 Jan 2022 13:54:17 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 803ECB81E66
        for <linux-kernel@vger.kernel.org>; Thu, 20 Jan 2022 21:54:16 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9BFFC340E0
        for <linux-kernel@vger.kernel.org>; Thu, 20 Jan 2022 21:54:14 +0000 (UTC)
Authentication-Results: smtp.kernel.org;
        dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="YGNRMuE1"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105;
        t=1642715650;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=lokLTpWksCE0MydRUXeENjWpAFOTxKNvajfwP8CuTh8=;
        b=YGNRMuE158M0ux9u01cuEr6LKW9qIuFJ0++srrsz4KzcXoHsis11nyz6plg/XhwXe42z9U
        alZCUNVoJpUYXSZFrIRDYzpprmqrlN5f+PCYs2xOxQp4Q9TUpa2EGFTtwl76df3rrvT1pF
        wOkuTWsP2oItotKT2PfFPzXHPqO0qEA=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ba7d6a91 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO)
        for <linux-kernel@vger.kernel.org>;
        Thu, 20 Jan 2022 21:54:10 +0000 (UTC)
Received: by mail-il1-f179.google.com with SMTP id w5so1936360ilo.2
        for <linux-kernel@vger.kernel.org>; Thu, 20 Jan 2022 13:54:09 -0800 (PST)
X-Gm-Message-State: AOAM532nEAwI33vhtE426TIZG2irn4U+rYH4UltSjgFQB/i7L0DTrrIx
        Ux1o9qO3ucUOhRezFV2Pa89qEneHl+2iLxKK2uU=
X-Received: by 2002:a05:6e02:160a:: with SMTP id t10mr579655ilu.82.1642715649293;
 Thu, 20 Jan 2022 13:54:09 -0800 (PST)
MIME-Version: 1.0
References: <CAHmME9pxJFBv-ZZ3bPMJdmxUO4oeY-wS4BtW34w1ncbeeU=MeA@mail.gmail.com>
 <20220120150734.509125-1-Jason@zx2c4.com> <Yemg2rWLqmYNzcDF@mit.edu>
In-Reply-To: <Yemg2rWLqmYNzcDF@mit.edu>
From:   "Jason A. Donenfeld" <Jason@zx2c4.com>
Date:   Thu, 20 Jan 2022 22:53:58 +0100
X-Gmail-Original-Message-ID: <CAHmME9pDHLXUdovYNPkFzOVecPmyq_bKxW9MDB5WHrsHv_o_4g@mail.gmail.com>
Message-ID: <CAHmME9pDHLXUdovYNPkFzOVecPmyq_bKxW9MDB5WHrsHv_o_4g@mail.gmail.com>
Subject: Re: [PATCH] random: use named fields for adjusting chacha state
To:     "Theodore Ts'o" <tytso@mit.edu>
Cc:     LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Ted,

On Thu, Jan 20, 2022 at 6:50 PM Theodore Ts'o <tytso@mit.edu> wrote:
> This change means that we're only initializing the key, but we're not
> initializing the counter/nonce (well, IV) value.  Could you fix this,
> please?

Right, as I mentioned in the commit message, this was the point. I'll
understand if you don't want to make this change, but the idea is that
indeed we make the nonce and counter values start at zero. This is
what's done in the original "fast key erasure" chacha rng [1,2] and
openbsd's arc4random [3]. And it seems sensible, in that we're not
really getting anything from having a 384-bit key over a 256-bit one.
It's not actually a meaningful reduction in security, and it
simplifies analysis by having the key rows used explicitly for keys
and the public rows used explicitly for public-ish values. It's always
scary to do seemingly _less_, and you could argue that these fields
are fine as input for a little additional pizzazz, so why not? If
that's your perspective, I can understand, and I'm not wedded to
changing it like this. On the other hand, if you agree it doesn't
change things cryptographically, and it simplifies the analysis, then
we can make the change. Either way works for me.

Jason

[1] http://blog.cr.yp.to/20170723-random.html
[2] https://github.com/jedisct1/supercop/blob/master/crypto_rng/chacha20/ref/rng.c
[3] https://github.com/openbsd/src/blob/master/lib/libc/crypt/arc4random.c