Re: [PATCH 1/3] random: replace non-blocking pool with a Chacha20-based CRNG

From: Jeffrey Walton
Date: Wed May 04 2016 - 12:54:18 EST

Next message: Mark Brown: "Re: [PATCH 2/2 v6] ASoC: dwc: Update DOCUMENTATION for I2S Driver"
Previous message: Josh Poimboeuf: "Re: barriers: was: [RFC PATCH v2 17/18] livepatch: change to a per-task consistency model"
In reply to: Stephan Mueller: "Re: [PATCH 1/3] random: replace non-blocking pool with a Chacha20-based CRNG"
Next in thread: tytso: "Re: [PATCH 1/3] random: replace non-blocking pool with a Chacha20-based CRNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> + chacha20_block(&crng->state[0], out);
>> + if (crng->state[12] == 0)
>> + crng->state[13]++;
>
> state[12]++? Or why do you increment the nonce?

In Bernstein's Salsa and ChaCha, the counter is 64-bit. It appears
ChaCha-TLS uses a 32-bit counter, and the other 32-bits is given to
the nonce.

Maybe the first question to ask is, what ChaCha is the kernel
providing? If its ChaCha-TLS, then the carry does not make a lot of
sense.

If the generator is limiting the amount of material under a given set
of security parameters (key and nonce), then the generator will likely
re-key itself long before the 256-GB induced wrap. In this case, it
does not matter which ChaCha the kernel is providing and the carry is
superfluous.

Jeff

Next message: Mark Brown: "Re: [PATCH 2/2 v6] ASoC: dwc: Update DOCUMENTATION for I2S Driver"
Previous message: Josh Poimboeuf: "Re: barriers: was: [RFC PATCH v2 17/18] livepatch: change to a per-task consistency model"
In reply to: Stephan Mueller: "Re: [PATCH 1/3] random: replace non-blocking pool with a Chacha20-based CRNG"
Next in thread: tytso: "Re: [PATCH 1/3] random: replace non-blocking pool with a Chacha20-based CRNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]