Re: [PATCH v2] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA-512, SHAKE128, SHAKE256

Next message: Bryan O'Donoghue: "Re: [PATCH 3/9] dt-bindings: clock: qcom: Add support for CAMCC for Kaanapali"
Previous message: Li Nan: "Re: [PATCH v5 2/2] md: allow configuring logical block size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ard Biesheuvel

Date: Thu Sep 25 2025 - 04:39:39 EST

On Tue, 23 Sept 2025 at 18:31, David Howells <dhowells@xxxxxxxxxx> wrote:
>
> David Howells <dhowells@xxxxxxxxxx> wrote:
>
> > Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> >
> > > > I assume that pertains to the comment about inlining in some way. This
> > > > is as is in sha3_generic.c. I can move it into the round function if
> > > > you like, but can you tell me what the effect will be?
> > >
> > > The effect will be that the code will align more closely with how the
> > > algorithm is described in the SHA-3 spec and other publications.
> >
> > I meant on the code produced and the stack consumed. It may align with other
> > code, but if it runs off of the end of the stack then alignment is irrelevant.
>
> See commit 4767b9ad7d762876a5865a06465e13e139a01b6b
>
> "crypto: sha3-generic - deal with oversize stack frames"
>
> For some reason (maybe Ard can comment on it), he left the Iota function out
> of the keccakf_round() function.
>

The Iota function is the only transformation that does not operate
purely on the state array, so that would have required passing an
additional u64 into keccakf_round(). But I agree it is slightly
cleaner, although arguably, it should be a separate change.