On Sat, Aug 08, 2020 at 10:07:51AM -0700, Andy Lutomirski wrote: >> - Cryptographically strong ChaCha, batched >> - Cryptographically strong ChaCha, with anti-backtracking. > > I think we should just anti-backtrack everything. With the "fast key > erasure" construction, already implemented in my patchset for the > buffered bytes, this is extremely fast.
The problem is that this is really *amorized* key erasure, and requires large buffers to amortize the cost down to a reasonable level. E,g, if using 256-bit (32-byte) keys, 5% overhead would require generating 640 bytes at a time. Are we okay with ~1K per core for this? Which we might have to throw away occasionally to incorporate fresh seed material? You're right that the simplification in usage is a benefit.
