diff options
| author | Eric Biggers <ebiggers@google.com> | 2018-12-06 17:21:59 -0500 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2018-12-13 05:24:59 -0500 |
| commit | c6018e1a00b5c70610cdfb3650cc5622c917ed17 (patch) | |
| tree | 91e7c5e6088a062158e84d1efa9e561d9b6a57f2 | |
| parent | 282c14852d00d6d1b8fadf3e01e4180f02ddda84 (diff) | |
crypto: adiantum - adjust some comments to match latest paper
The 2018-11-28 revision of the Adiantum paper has revised some notation:
- 'M' was replaced with 'L' (meaning "Left", for the left-hand part of
the message) in the definition of Adiantum hashing, to avoid confusion
with the full message
- ε-almost-∆-universal is now abbreviated as ε-∆U instead of εA∆U
- "block" is now used only to mean block cipher and Poly1305 blocks
Also, Adiantum hashing was moved from the appendix to the main paper.
To avoid confusion, update relevant comments in the code to match.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| -rw-r--r-- | crypto/adiantum.c | 35 | ||||
| -rw-r--r-- | crypto/nhpoly1305.c | 8 |
2 files changed, 23 insertions, 20 deletions
diff --git a/crypto/adiantum.c b/crypto/adiantum.c index ca27e0dc2958..e62e34f5e389 100644 --- a/crypto/adiantum.c +++ b/crypto/adiantum.c | |||
| @@ -9,7 +9,7 @@ | |||
| 9 | * Adiantum is a tweakable, length-preserving encryption mode designed for fast | 9 | * Adiantum is a tweakable, length-preserving encryption mode designed for fast |
| 10 | * and secure disk encryption, especially on CPUs without dedicated crypto | 10 | * and secure disk encryption, especially on CPUs without dedicated crypto |
| 11 | * instructions. Adiantum encrypts each sector using the XChaCha12 stream | 11 | * instructions. Adiantum encrypts each sector using the XChaCha12 stream |
| 12 | * cipher, two passes of an ε-almost-∆-universal (εA∆U) hash function based on | 12 | * cipher, two passes of an ε-almost-∆-universal (ε-∆U) hash function based on |
| 13 | * NH and Poly1305, and an invocation of the AES-256 block cipher on a single | 13 | * NH and Poly1305, and an invocation of the AES-256 block cipher on a single |
| 14 | * 16-byte block. See the paper for details: | 14 | * 16-byte block. See the paper for details: |
| 15 | * | 15 | * |
| @@ -21,12 +21,12 @@ | |||
| 21 | * - Stream cipher: XChaCha12 or XChaCha20 | 21 | * - Stream cipher: XChaCha12 or XChaCha20 |
| 22 | * - Block cipher: any with a 128-bit block size and 256-bit key | 22 | * - Block cipher: any with a 128-bit block size and 256-bit key |
| 23 | * | 23 | * |
| 24 | * This implementation doesn't currently allow other εA∆U hash functions, i.e. | 24 | * This implementation doesn't currently allow other ε-∆U hash functions, i.e. |
| 25 | * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC | 25 | * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC |
| 26 | * but still provably as secure, and also the εA∆U hash function of HBSH is | 26 | * but still provably as secure, and also the ε-∆U hash function of HBSH is |
| 27 | * formally defined to take two inputs (tweak, message) which makes it difficult | 27 | * formally defined to take two inputs (tweak, message) which makes it difficult |
| 28 | * to wrap with the crypto_shash API. Rather, some details need to be handled | 28 | * to wrap with the crypto_shash API. Rather, some details need to be handled |
| 29 | * here. Nevertheless, if needed in the future, support for other εA∆U hash | 29 | * here. Nevertheless, if needed in the future, support for other ε-∆U hash |
| 30 | * functions could be added here. | 30 | * functions could be added here. |
| 31 | */ | 31 | */ |
| 32 | 32 | ||
| @@ -41,7 +41,7 @@ | |||
| 41 | #include "internal.h" | 41 | #include "internal.h" |
| 42 | 42 | ||
| 43 | /* | 43 | /* |
| 44 | * Size of right-hand block of input data, in bytes; also the size of the block | 44 | * Size of right-hand part of input data, in bytes; also the size of the block |
| 45 | * cipher's block size and the hash function's output. | 45 | * cipher's block size and the hash function's output. |
| 46 | */ | 46 | */ |
| 47 | #define BLOCKCIPHER_BLOCK_SIZE 16 | 47 | #define BLOCKCIPHER_BLOCK_SIZE 16 |
| @@ -77,7 +77,7 @@ struct adiantum_tfm_ctx { | |||
| 77 | struct adiantum_request_ctx { | 77 | struct adiantum_request_ctx { |
| 78 | 78 | ||
| 79 | /* | 79 | /* |
| 80 | * Buffer for right-hand block of data, i.e. | 80 | * Buffer for right-hand part of data, i.e. |
| 81 | * | 81 | * |
| 82 | * P_L => P_M => C_M => C_R when encrypting, or | 82 | * P_L => P_M => C_M => C_R when encrypting, or |
| 83 | * C_R => C_M => P_M => P_L when decrypting. | 83 | * C_R => C_M => P_M => P_L when decrypting. |
| @@ -93,8 +93,8 @@ struct adiantum_request_ctx { | |||
| 93 | bool enc; /* true if encrypting, false if decrypting */ | 93 | bool enc; /* true if encrypting, false if decrypting */ |
| 94 | 94 | ||
| 95 | /* | 95 | /* |
| 96 | * The result of the Poly1305 εA∆U hash function applied to | 96 | * The result of the Poly1305 ε-∆U hash function applied to |
| 97 | * (message length, tweak). | 97 | * (bulk length, tweak) |
| 98 | */ | 98 | */ |
| 99 | le128 header_hash; | 99 | le128 header_hash; |
| 100 | 100 | ||
| @@ -213,13 +213,16 @@ static inline void le128_sub(le128 *r, const le128 *v1, const le128 *v2) | |||
| 213 | } | 213 | } |
| 214 | 214 | ||
| 215 | /* | 215 | /* |
| 216 | * Apply the Poly1305 εA∆U hash function to (message length, tweak) and save the | 216 | * Apply the Poly1305 ε-∆U hash function to (bulk length, tweak) and save the |
| 217 | * result to rctx->header_hash. | 217 | * result to rctx->header_hash. This is the calculation |
| 218 | * | 218 | * |
| 219 | * This value is reused in both the first and second hash steps. Specifically, | 219 | * H_T ← Poly1305_{K_T}(bin_{128}(|L|) || T) |
| 220 | * it's added to the result of an independently keyed εA∆U hash function (for | 220 | * |
| 221 | * equal length inputs only) taken over the message. This gives the overall | 221 | * from the procedure in section 6.4 of the Adiantum paper. The resulting value |
| 222 | * Adiantum hash of the (tweak, message) pair. | 222 | * is reused in both the first and second hash steps. Specifically, it's added |
| 223 | * to the result of an independently keyed ε-∆U hash function (for equal length | ||
| 224 | * inputs only) taken over the left-hand part (the "bulk") of the message, to | ||
| 225 | * give the overall Adiantum hash of the (tweak, left-hand part) pair. | ||
| 223 | */ | 226 | */ |
| 224 | static void adiantum_hash_header(struct skcipher_request *req) | 227 | static void adiantum_hash_header(struct skcipher_request *req) |
| 225 | { | 228 | { |
| @@ -248,7 +251,7 @@ static void adiantum_hash_header(struct skcipher_request *req) | |||
| 248 | poly1305_core_emit(&state, &rctx->header_hash); | 251 | poly1305_core_emit(&state, &rctx->header_hash); |
| 249 | } | 252 | } |
| 250 | 253 | ||
| 251 | /* Hash the left-hand block (the "bulk") of the message using NHPoly1305 */ | 254 | /* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */ |
| 252 | static int adiantum_hash_message(struct skcipher_request *req, | 255 | static int adiantum_hash_message(struct skcipher_request *req, |
| 253 | struct scatterlist *sgl, le128 *digest) | 256 | struct scatterlist *sgl, le128 *digest) |
| 254 | { | 257 | { |
| @@ -550,7 +553,7 @@ static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb) | |||
| 550 | goto out_drop_streamcipher; | 553 | goto out_drop_streamcipher; |
| 551 | blockcipher_alg = ictx->blockcipher_spawn.alg; | 554 | blockcipher_alg = ictx->blockcipher_spawn.alg; |
| 552 | 555 | ||
| 553 | /* NHPoly1305 εA∆U hash function */ | 556 | /* NHPoly1305 ε-∆U hash function */ |
| 554 | _hash_alg = crypto_alg_mod_lookup(nhpoly1305_name, | 557 | _hash_alg = crypto_alg_mod_lookup(nhpoly1305_name, |
| 555 | CRYPTO_ALG_TYPE_SHASH, | 558 | CRYPTO_ALG_TYPE_SHASH, |
| 556 | CRYPTO_ALG_TYPE_MASK); | 559 | CRYPTO_ALG_TYPE_MASK); |
diff --git a/crypto/nhpoly1305.c b/crypto/nhpoly1305.c index c8385853f699..ec831a5594d8 100644 --- a/crypto/nhpoly1305.c +++ b/crypto/nhpoly1305.c | |||
| @@ -9,15 +9,15 @@ | |||
| 9 | * "NHPoly1305" is the main component of Adiantum hashing. | 9 | * "NHPoly1305" is the main component of Adiantum hashing. |
| 10 | * Specifically, it is the calculation | 10 | * Specifically, it is the calculation |
| 11 | * | 11 | * |
| 12 | * H_M ← Poly1305_{K_M}(NH_{K_N}(pad_{128}(M))) | 12 | * H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L))) |
| 13 | * | 13 | * |
| 14 | * from the procedure in section A.5 of the Adiantum paper [1]. It is an | 14 | * from the procedure in section 6.4 of the Adiantum paper [1]. It is an |
| 15 | * ε-almost-∆-universal (εA∆U) hash function for equal-length inputs over | 15 | * ε-almost-∆-universal (ε-∆U) hash function for equal-length inputs over |
| 16 | * Z/(2^{128}Z), where the "∆" operation is addition. It hashes 1024-byte | 16 | * Z/(2^{128}Z), where the "∆" operation is addition. It hashes 1024-byte |
| 17 | * chunks of the input with the NH hash function [2], reducing the input length | 17 | * chunks of the input with the NH hash function [2], reducing the input length |
| 18 | * by 32x. The resulting NH digests are evaluated as a polynomial in | 18 | * by 32x. The resulting NH digests are evaluated as a polynomial in |
| 19 | * GF(2^{130}-5), like in the Poly1305 MAC [3]. Note that the polynomial | 19 | * GF(2^{130}-5), like in the Poly1305 MAC [3]. Note that the polynomial |
| 20 | * evaluation by itself would suffice to achieve the εA∆U property; NH is used | 20 | * evaluation by itself would suffice to achieve the ε-∆U property; NH is used |
| 21 | * for performance since it's over twice as fast as Poly1305. | 21 | * for performance since it's over twice as fast as Poly1305. |
| 22 | * | 22 | * |
| 23 | * This is *not* a cryptographic hash function; do not use it as such! | 23 | * This is *not* a cryptographic hash function; do not use it as such! |