Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp2434418rdb;
        Thu, 21 Sep 2023 20:27:33 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHOSNj8opsaE7TzHZ5f3q689Rfd1DWNkxvqP4c9Xuq9pWWLgre/dsCqJGGH1ftINhSqwd2U
X-Received: by 2002:a17:90b:3689:b0:276:dc2f:be9d with SMTP id mj9-20020a17090b368900b00276dc2fbe9dmr4717929pjb.33.1695353253514;
        Thu, 21 Sep 2023 20:27:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695353253; cv=none;
        d=google.com; s=arc-20160816;
        b=YccdyXFIxX9PexhJEYe2QZjahbjfYfZo1xXe4HVsDBRqfuMgUQQKI2ml7lzoX41KZh
         EV1weQnU5qHTsJuhJ3KpdwM6hJBP0adqnXX2Nd5tUq6TL7oFCxX6Ll5+qVQ/XOud1xsD
         zg8MIYq3qc0o+SwWCGEPLVYcefT9fYqztE/SEqxyA85yCB7Hxm+4nz92XtT5e7SDn+4H
         2ZU05Ps9YPlQ1cckzJVF/GCsvCTvNGiM89wMWQm3jcm1BEL8ip/nRw1+cb/ZKOXeRPf+
         XA0yyqnSCWj19F4xqh2gK+5OWTsRHFg1SQx6ghrKVpwUlypi+SUNsFiB4WDAxGBbvmn9
         8ZPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=JZj+O/SvbABkJiLK5AxpXQjSF5bFc3JA9UiPolkqUXE=;
        fh=UDWDhAO7lJRReNZvubywdGsu9mvQhvlekph1HTPfwkE=;
        b=eR+j4d0cpsMgKWTpQ5aLZhhODXRCqeTD0zKGGwR2AUfnyYcd1pn045I0CnR4jHLzd9
         3cYRpMavzYuAGVWpX3nph5N4NxpEHTL5mqcl9Z7RFhhj/UlSpx9n8oJnCjL0eRws8GRh
         SedcPB7wYiPCdIEE1s6muLVYnoAXBQbqUlE5E4d4g6aeN/qrx5Lk1bvWdEDPcW76z+QG
         3rdV1FJE8PjlWI8cO/3dT13oFo54blaKHN+vJ+UWiF1wO+AazprP+u/ed96MH5axvmic
         qVLd8apUiXHrn79P86FzmMkkQMMLoUD/bCT6Z5so3sn6LJtJ6xozx+A1durdDt/4UmSj
         8ZbA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="jI7/qcOl";
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [23.128.96.34])
        by mx.google.com with ESMTPS id gi17-20020a17090b111100b0027491bac826si3028119pjb.140.2023.09.21.20.27.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 Sep 2023 20:27:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="jI7/qcOl";
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id BC27A851B9CA;
	Thu, 21 Sep 2023 20:10:45 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229497AbjIVDKj (ORCPT <rfc822;giovanni.cabiddu@gmail.com>
        + 99 others); Thu, 21 Sep 2023 23:10:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47926 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229476AbjIVDKj (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 21 Sep 2023 23:10:39 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99D3C102
        for <linux-crypto@vger.kernel.org>; Thu, 21 Sep 2023 20:10:32 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 20B7CC433C8;
        Fri, 22 Sep 2023 03:10:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1695352232;
        bh=PIaW8pwRk5aS2qNBtO7eK5Mrj5VdfA8PDu73RiKF6wA=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=jI7/qcOl4n/ZGN2TMG9hoA2TY40d1N4fqRAWpgHRiL1r51eaFDxIi/4LEwtv0ELr9
         H+24XPwdHhbKWGD3xGL3N1vNT91tWhkbHANLH/HB8Cjsy+vHM2wjuY2qJFdvrf/+mh
         mXXilD0ORqq9ENEXpwK2fV+1+5tCQ7j46wUODrTfk0bHfTNlpJ24Ec3g2v5JbOd895
         U/mUfmhkcCvP2UzDMBLsj614rlS4125ZzujmDqu2iLzvsbgaet4d2m+ypf7HhaPHFq
         MaSz2wQpGnLiVlykmxbHOMJt+prTswUs9TDVeu42WuBOX2rm4uK29g9QCaeR6DjR2L
         7iLUHklEHqNwA==
Date:   Thu, 21 Sep 2023 20:10:30 -0700
From:   Eric Biggers <ebiggers@kernel.org>
To:     Herbert Xu <herbert@gondor.apana.org.au>
Cc:     Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH 4/8] crypto: skcipher - Add lskcipher
Message-ID: <20230922031030.GB935@sol.localdomain>
References: <20230914082828.895403-1-herbert@gondor.apana.org.au>
 <20230914082828.895403-5-herbert@gondor.apana.org.au>
 <20230920062551.GB2739@sol.localdomain>
 <ZQvHUc9rd4ud2NCB@gondor.apana.org.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZQvHUc9rd4ud2NCB@gondor.apana.org.au>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 21 Sep 2023 20:10:46 -0700 (PDT)

On Thu, Sep 21, 2023 at 12:32:17PM +0800, Herbert Xu wrote:
> On Tue, Sep 19, 2023 at 11:25:51PM -0700, Eric Biggers wrote:
> >
> > Is lskcipher only for algorithms that can be computed incrementally?  That would
> > exclude the wide-block modes, and maybe others too.  And if so, what is the
> 
> You mean things like adiantum? 

Yes, wide-block modes such as Adiantum and HCTR2 require multiple passes over
the data.  As do SIV modes such as AES-GCM-SIV (though AES-GCM-SIV isn't yet
supported by the kernel, and it would be an "aead", not an "skcipher").

> We could add a flag for that so
> the skcipher wrapper linearises the input before calling lskcipher.

That makes sense, but I suppose this would mean adding code that allocates huge
scratch buffers, like what the infamous crypto/scompress.c does?  I hope that we
can ensure that these buffers are only allocated when they are actually needed.

> 
> > model for incremental computation?  Based on crypto_lskcipher_crypt_sg(), all
> > the state is assumed to be carried forward in the "IV".  Does that work for all
> > algorithms?  Note that shash has an arbitrary state struct (shash_desc) instead.
> 
> Is there any practical difference? You could always represent
> one as the other, no?
> 
> The only case where it would matter is if an algorithm had both
> an IV as well as additional state that should not be passed along
> as part of the IV, do you have anything in mind?

Well, IV is *initialization vector*: a value that the algorithm uses as input.
It shouldn't be overloaded to represent some internal intermediate state.  We
already made this mistake with the iv vs. iv_out thing, which only ever got
implemented by CBC and CTR, and people repeatedly get confused by.  So we know
it technically works for those two algorithms, but not anything else.

With ChaCha, for example, it makes more sense to use 16-word state matrix as the
intermediate state instead of the 4-word "IV".  (See chacha_crypt().)
Especially for XChaCha, so that the HChaCha step doesn't need to be repeated.

- Eric