From: Martin Willi Subject: Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce Date: Mon, 11 Dec 2017 08:38:45 +0100 Message-ID: <1512977925.28078.12.camel@strongswan.org> References: <20171208115502.21775-1-ard.biesheuvel@linaro.org> <20171208221716.GB104193@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: David Gstir , Theodore Ts'o , herbert@gondor.apana.org.au, Eric Biggers , Stephan Mueller , Michael Halcrow , "Jason A . Donenfeld" , linux-f2fs-devel@lists.sourceforge.net, linux-fscrypt@vger.kernel.org, linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org, linux-fsdevel@vger.kernel.org, Jaegeuk Kim , linux-ext4@vger.kernel.org, Paul Crowley To: Eric Biggers , Ard Biesheuvel Return-path: In-Reply-To: <20171208221716.GB104193@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-mtd" Errors-To: linux-mtd-bounces+gldm-linux-mtd-36=gmane.org@lists.infradead.org List-Id: linux-crypto.vger.kernel.org Hi, > Anyway, I actually thought it was intentional that the ChaCha > implementations in the Linux kernel allowed specifying the block > counter, and therefore allowed seeking to any point in the keystream, > exposing the full functionality of the cipher. If I remember correctly, it was indeed intentional. When building the chacha20poly1305 AEAD both in [1] and [2], a block counter of 0 is used to generate the Poly1305 key. For the ChaCha20 encryption, an explicit initial block counter of 1 is used to avoid reusing the same counter. Maybe it would be possible to implement this with implicit counters, but doing this explicitly looked much clearer to me. So I guess there are use cases for explicit block counters in ChaCha20. Best regards Martin [1] https://tools.ietf.org/html/rfc7539#section-2.8 [2] https://tools.ietf.org/html/rfc7634#section-2 ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/