Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5977765pxb; Thu, 27 Jan 2022 03:58:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJzWVzUHLNT3DxlLBSl9h5VumLHs5Y6QkDaNOfLIJC0jpp0no72lfw7MXHWAHM7ALAKV5soU X-Received: by 2002:aa7:c04e:: with SMTP id k14mr3240961edo.131.1643284716941; Thu, 27 Jan 2022 03:58:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643284716; cv=none; d=google.com; s=arc-20160816; b=ax0Xrb7IwUWqrblHN37Pz5rQrKWqxxNNoj+aAAYSWUhfBB93g9cj0fjCCjAOLnBXKX 8FLurWxV5I02CXbXHMh/dpNs2d4YbDUFlFuqcUpx79fuXiVG/G8rOy8sW4uXpVh3dpXa hbRVoGpn9gwmtSuqQWuwBxfmU4Z5XHVuU7UpeC51XnPESJSH+tae03830Q9QmwTPu1eq 2Jtfh7zxd4RYEaWIVhNx45yUfQx+6tlRJqJu2rEuT6SiYGCirX+bUkjo3FSEXU0gsURl 72HXSCuUaQQ4psd1C6CAA71vCw/z9FIlJWuaqa7AYAMt2KPOtYaYmJcXLWECy+vfpSGe +99A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=uc8hISCgXI3n/4cRgPSnI6GXpF8QwaIIEshhcMaD94A=; b=eW2YlH+eZUcAbaqzURsmfogfKLEHL6hClHjnNXjYS4NeG4QtdVIU1ZgTUzaOAwCo82 YHEIvQ7UpBxSxSnBae7vNbQa9BCpWnOUqod1KMgHuxSW2/6ryD4jmnOpk0gX06DaIDsG 5IEyQrcEVdMv0dkvoPqwRnEZcaXBvCwKMQe+aqpUhqCT0Xa67MlyciJM2fOlVDO6JpcM 6vl0MgKx2ZYcE5Bp6d26QB7UQyLFsmjeENn7IyeXGB2EkTGZLLOUhE+5vXbkmBhjvAc2 +iB1fevFxTgwoMNygf/xVjck51bo6/H4Liv53drzgKLt88tHJ/5ab64PbHkTwT4h6Cv7 qkjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pgXGaXr0; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id he10si1231069ejc.936.2022.01.27.03.58.12; Thu, 27 Jan 2022 03:58:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pgXGaXr0; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235811AbiA0FTb (ORCPT + 99 others); Thu, 27 Jan 2022 00:19:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231364AbiA0FTa (ORCPT ); Thu, 27 Jan 2022 00:19:30 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E4A7C06161C for ; Wed, 26 Jan 2022 21:19:30 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 19411615BD for ; Thu, 27 Jan 2022 05:19:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 41C67C340E4; Thu, 27 Jan 2022 05:19:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1643260769; bh=vWfaLq/qC52SFr+J0SFQONIJabGEv3kLS5rXjzoTqk4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=pgXGaXr0i/TZHK9Vy0eERjKknMvG6VwAHr/WXP3oNCX3RpNwpaKWFcxUdI8ERFzWs 9DQtngLi74fJyIGndlQ/SRQCXY0VPfqbo+AS5OoXWsy3mAalCjrfPCVCUZkXOwuvlX j3V1AnQc8MpVdNhJ710K3Evx/7oADXihmKXs1Plb0zZF8xMFRPxyYa+BP23u9PGLs8 F+6Ev4NmSvaBqx6fjf+iCj3TtFmGsw+acfQkJx/UhNKq0tc3Rg2znVeCNEDelkAIAR B381fRajRZGb5fnykD94tkRU02uO9whHqJAaMuxF8A8S+FJYvzXxnjzWnL3wxPR8bq E3JQfFtnYqrFw== Date: Wed, 26 Jan 2022 21:19:27 -0800 From: Eric Biggers To: Nathan Huckleberry Cc: linux-crypto@vger.kernel.org, Herbert Xu , "David S. Miller" , linux-arm-kernel@lists.infradead.org, Paul Crowley , Sami Tolvanen Subject: Re: [RFC PATCH 2/7] crypto: polyval - Add POLYVAL support Message-ID: References: <20220125014422.80552-1-nhuck@google.com> <20220125014422.80552-3-nhuck@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220125014422.80552-3-nhuck@google.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Jan 24, 2022 at 07:44:17PM -0600, Nathan Huckleberry wrote: > Add support for POLYVAL, an ε-universal hash function similar to GHASH. I think you mean ε-∆U (i.e. ε-∆-universal), as appears elsewhere in this patchset? > POLYVAL is used as a component to implement HCTR2 mode. > > POLYVAL is implemented as an shash algorithm. The implementation is > modified from ghash-generic.c. > > More information on POLYVAL can be found in the HCTR2 paper: > https://eprint.iacr.org/2021/1441.pdf > > Signed-off-by: Nathan Huckleberry This commit message could use a brief mention of why POLYVAL is used instead of GHASH, and where POLYVAL is originally from. It is in the paper, but it's worth emphasizing. > diff --git a/crypto/polyval-generic.c b/crypto/polyval-generic.c > new file mode 100644 > index 000000000000..63e908697ea0 > --- /dev/null > +++ b/crypto/polyval-generic.c > @@ -0,0 +1,183 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/* > + * POLYVAL: hash function for HCTR2. > + * > + * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen > + * Copyright (c) 2009 Intel Corp. > + * Author: Huang Ying > + * Copyright 2021 Google LLC > + */ > + > +/* > + * Code based on crypto/ghash-generic.c > + * > + * POLYVAL is a keyed hash function similar to GHASH. POLYVAL uses a > + * different modulus for finite field multiplication which makes hardware > + * accelerated implementations on little-endian machines faster. > + * > + * Like GHASH, POLYVAL is not a cryptographic hash function and should > + * not be used outside of crypto modes explicitly designed to use POLYVAL. > + * > + */ This comment could use some more explanation about the implementation. The code is using the implementation trick where the multiplication is actually done using the GHASH field, but it is not explained. Also, it should be explained why this implementation was chosen. The reason that the GHASH trick is used instead of doing a POLYVAL native implementation is because in practice, one of the accelerated implementations will/should be used instead, right? So this one didn't matter much -- there just had to be a generic implementation. There should also be a warning that this implementation isn't constant-time. - Eric