Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp317764rdb;
        Thu, 16 Nov 2023 22:31:12 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEwAuTW3f9CvdE3EW48DjAyaNUOV6jV3fXa01BEwCI035dhVH96E8Rfe+i3y/7VW96d95y5
X-Received: by 2002:a05:620a:d82:b0:77b:c85b:5adf with SMTP id q2-20020a05620a0d8200b0077bc85b5adfmr11791539qkl.52.1700202672783;
        Thu, 16 Nov 2023 22:31:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700202672; cv=none;
        d=google.com; s=arc-20160816;
        b=Znu4deKfrAO7D3G3UkdtlR7+rBIWZ1i3AYraybU/3hC39uvUvqaznqd06Flakh3OSj
         +LiQEm7fiIXYcMDdx8Qq+75p5vLzEq0hXuK004qTah7FaDxNTtI1FczWvx4tcIVA93IP
         axfM8roy7+L3LxcsG7ysC5hFP2gcOxl7SOfc1uuXofhwMOfDg6HsiKOgk7ayAwwm/nNf
         zfNEUNhDpjMLVomf/v/y40cRrYlRrSwMOmRp1Pf5c80BuFXrAKzqK3wcVnIs13WGIWHg
         GnpdcCjrXEsOpA341tt0/cDVWebxSTvqELkNyNQ8yhCTfRBR20bu9Ms6xOzt9WjaVF0u
         jAZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=Ph4PxtSv5p+2ZsHXThAAVSE/GJlzW4bi3zzriJ/5R9w=;
        fh=UDWDhAO7lJRReNZvubywdGsu9mvQhvlekph1HTPfwkE=;
        b=GMPy/q/s+fodduOHy9VMUgGogz6JDxQzM8bGPsBSHSCY/BGH0lHybHHge9Bazevw7H
         8UEE1uS8M3uiFiux0vV4lDBaOedkaXZ0DuJebB7TqoVlJUlEZNqMKY1sE0/JxoJAoSW7
         te9Xe8wnyXtNdGv1hpG8NfhKDjakDVWMc1HeCTbTF9fe1q2z6TLmyTPeBSqPiyM6ZMCa
         0kkVEIpBDc6LpWiamkviBAgGzLGKNQ2Q7fR2yO/2GsHxXCnnO8eTrs3AVyHj2gVDADvR
         Mb77WRmz0xNemJGBVtb6HrrG8cOKhgEOE1vtFpOv/CRXYuu8HCI0w1xqQzam+eY8uQNC
         a3bg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YtxSaE7P;
       spf=pass (google.com: domain of linux-crypto+bounces-143-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-143-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto+bounces-143-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id d20-20020a05620a137400b007742221bc37si1143713qkl.747.2023.11.16.22.31.12
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Nov 2023 22:31:12 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto+bounces-143-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YtxSaE7P;
       spf=pass (google.com: domain of linux-crypto+bounces-143-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-143-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 769151C20864
	for <linux.lists.archive@gmail.com>; Fri, 17 Nov 2023 06:31:12 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D3B1ADDA7
	for <linux.lists.archive@gmail.com>; Fri, 17 Nov 2023 06:31:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="YtxSaE7P"
X-Original-To: linux-crypto@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D364DD2E4
	for <linux-crypto@vger.kernel.org>; Fri, 17 Nov 2023 05:42:33 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EAFBC433C7;
	Fri, 17 Nov 2023 05:42:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1700199753;
	bh=S9dNt7ZOYbC1iee2trtrwbsJ/Ko5JOnzMwlVQNF0HPE=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=YtxSaE7PC/mnKDKuyd2+8N5AX+etT8u0KnvfcihDuNG7+tIJN8Q5gPwz4UNWKtjwq
	 O50x6QewNZ+Ru1YsCBFrVEaeNcjKHyD+ZOmjCMLKJmpFx8Nk06fBBGvTWMAudaVXdD
	 IzSKmsCRRh5mzx2jMAQowxeQGzhkSw/dKZR9GK6g9MYOys3vY5qGdMgwtCJqDKve6/
	 OuIF3RdxBwkt2bUJ4m43ChGj8Jof+YYWQh4Lp+RqopKvNi9iT5AmoekAPlcB61zi+w
	 w2+kPPfHNL2EKI5K7DWCXaSICfRheMz+pjnwb7VP7w32eEKk4eBd9cPXJt4iwc2WI4
	 SVB5tQygfR7JA==
Date: Thu, 16 Nov 2023 21:42:31 -0800
From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
	Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH 4/8] crypto: skcipher - Add lskcipher
Message-ID: <20231117054231.GC972@sol.localdomain>
References: <20230914082828.895403-1-herbert@gondor.apana.org.au>
 <20230914082828.895403-5-herbert@gondor.apana.org.au>
 <20230920062551.GB2739@sol.localdomain>
 <ZQvHUc9rd4ud2NCB@gondor.apana.org.au>
 <20230922031030.GB935@sol.localdomain>
 <ZVb38sHNJYJ9x0po@gondor.apana.org.au>
Precedence: bulk
X-Mailing-List: linux-crypto@vger.kernel.org
List-Id: <linux-crypto.vger.kernel.org>
List-Subscribe: <mailto:linux-crypto+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-crypto+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZVb38sHNJYJ9x0po@gondor.apana.org.au>

On Fri, Nov 17, 2023 at 01:19:46PM +0800, Herbert Xu wrote:
> On Thu, Sep 21, 2023 at 08:10:30PM -0700, Eric Biggers wrote:
> >
> > Well, IV is *initialization vector*: a value that the algorithm uses as input.
> > It shouldn't be overloaded to represent some internal intermediate state.  We
> > already made this mistake with the iv vs. iv_out thing, which only ever got
> > implemented by CBC and CTR, and people repeatedly get confused by.  So we know
> > it technically works for those two algorithms, but not anything else.
> > 
> > With ChaCha, for example, it makes more sense to use 16-word state matrix as the
> > intermediate state instead of the 4-word "IV".  (See chacha_crypt().)
> > Especially for XChaCha, so that the HChaCha step doesn't need to be repeated.
> 
> Fair enough, but what's the point of keeping the internal state
> across two lskcipher calls? The whole point of lskcipher is that the
> input is linear and can be processed in one go.
> 
> With shash we must keep the internal state because the API operates
> on the update/final model so we need multiple suboperations to finish
> each hashing operation.
> 
> With ciphers we haven't traditionally done it that way.  Are you
> thinking of extending lskcipher so that it is more like hashing, with
> an explicit finalisation step?

crypto_lskcipher_crypt_sg() assumes that a single en/decryption operation can be
broken up into multiple ones.  I think you're arguing that since there's no
"init" or "final", these sub-en/decryptions aren't analogous to "update" but
rather are full en/decryptions that happen to combine to create the larger one.
So sure, looking at it that way, the input/output IV does make sense, though it
does mean that we end up with the confusing "output IV" terminology as well as
having to repeat any setup code, e.g. HChaCha, that some algorithms have.

- Eric