subject:"Re\: \[RFC PATCH\] crypto\: chacha20 \- add implementation using 96\-bit nonce"

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

2017-12-10 Thread Martin Willi

Hi, > Anyway, I actually thought it was intentional that the ChaCha > implementations in the Linux kernel allowed specifying the block > counter, and therefore allowed seeking to any point in the keystream, > exposing the full functionality of the cipher. If I remember correctly, it was indeed in

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

2017-12-10 Thread Herbert Xu

Ard Biesheuvel wrote: > As pointed out by Eric [0], the way RFC7539 was interpreted when creating > our implementation of ChaCha20 creates a risk of IV reuse when using a > little endian counter as the IV generator. The reason is that the low end > bits of the counter get mapped onto the ChaCha20

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

2017-12-08 Thread Ard Biesheuvel

On 8 December 2017 at 23:11, Eric Biggers wrote: > On Fri, Dec 08, 2017 at 10:54:24PM +, Ard Biesheuvel wrote: >> >> Note that there are two conflicting conventions for what inputs ChaCha >> >> takes. >> >> The original paper by Daniel Bernstein >> >> (https://cr.yp.to/chacha/chacha-20080128.

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

2017-12-08 Thread Eric Biggers

On Fri, Dec 08, 2017 at 10:54:24PM +, Ard Biesheuvel wrote: > >> Note that there are two conflicting conventions for what inputs ChaCha > >> takes. > >> The original paper by Daniel Bernstein > >> (https://cr.yp.to/chacha/chacha-20080128.pdf) says that the block counter > >> is > >> 64-bit an

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

2017-12-08 Thread Ard Biesheuvel

On 8 December 2017 at 22:42, Ard Biesheuvel wrote: > On 8 December 2017 at 22:17, Eric Biggers wrote: >> On Fri, Dec 08, 2017 at 11:55:02AM +, Ard Biesheuvel wrote: >>> As pointed out by Eric [0], the way RFC7539 was interpreted when creating >>> our implementation of ChaCha20 creates a risk

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

2017-12-08 Thread Ard Biesheuvel

On 8 December 2017 at 22:17, Eric Biggers wrote: > On Fri, Dec 08, 2017 at 11:55:02AM +, Ard Biesheuvel wrote: >> As pointed out by Eric [0], the way RFC7539 was interpreted when creating >> our implementation of ChaCha20 creates a risk of IV reuse when using a >> little endian counter as the

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

2017-12-08 Thread Eric Biggers

On Fri, Dec 08, 2017 at 11:55:02AM +, Ard Biesheuvel wrote: > As pointed out by Eric [0], the way RFC7539 was interpreted when creating > our implementation of ChaCha20 creates a risk of IV reuse when using a > little endian counter as the IV generator. The reason is that the low end > bits of

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

Re: [RFC PATCH] crypto: chacha20 - add implementation using 96-bit nonce

7 matches

Site Navigation

Mail list logo

Footer information