diff for duplicates of <20181015175424.97147-12-ebiggers@kernel.org> diff --git a/a/1.txt b/N1/1.txt index c17590d..a6a6488 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -11,7 +11,7 @@ See our paper for full details; this patch only provides an overview. Adiantum is a tweakable, length-preserving encryption mode designed for fast and secure disk encryption, especially on CPUs without dedicated crypto instructions. Adiantum encrypts each sector using the XChaCha12 -stream cipher, two passes of an ε-almost-∆-universal (εA∆U) hash +stream cipher, two passes of an ?-almost-?-universal (?A?U) hash function, and an invocation of the AES-256 block cipher on a single 16-byte block. On CPUs without AES instructions, Adiantum is much faster than AES-XTS; for example, on ARM Cortex-A7, on 4096-byte sectors @@ -20,8 +20,8 @@ and decryption about 5 times faster. Adiantum is a specialization of the more general HBSH construction. Our earlier proposal, HPolyC, was also a HBSH specialization, but it used a -different εA∆U hash function, one based on Poly1305 only. Adiantum's -εA∆U hash function, which is based primarily on the "NH" hash function +different ?A?U hash function, one based on Poly1305 only. Adiantum's +?A?U hash function, which is based primarily on the "NH" hash function like that used in UMAC (RFC4418), is about twice as fast as HPolyC's; consequently, Adiantum is about 20% faster than HPolyC. @@ -30,7 +30,7 @@ secure as HPolyC, in fact slightly *more* secure. Like HPolyC, Adiantum's security is reducible to that of XChaCha12 and AES-256, subject to a security bound. XChaCha12 itself has a security reduction to ChaCha12. Therefore, one need not "trust" Adiantum; one need only -trust ChaCha12 and AES-256. Note that the εA∆U hash function is only +trust ChaCha12 and AES-256. Note that the ?A?U hash function is only used for its proven combinatorical properties so cannot be "broken". Adiantum is also a true wide-block encryption mode, so flipping any @@ -105,7 +105,7 @@ index 431beca903623..d60a8575049c0 100644 + designed for fast and secure disk encryption, especially on + CPUs without dedicated crypto instructions. It encrypts + each sector using the XChaCha12 stream cipher, two passes of -+ an ε-almost-∆-universal hash function, and an invocation of ++ an ?-almost-?-universal hash function, and an invocation of + the AES-256 block cipher on a single 16-byte block. On CPUs + without AES instructions, Adiantum is much faster than + AES-XTS. @@ -150,7 +150,7 @@ index 0000000000000..b5738ea2f98f5 + * Adiantum is a tweakable, length-preserving encryption mode designed for fast + * and secure disk encryption, especially on CPUs without dedicated crypto + * instructions. Adiantum encrypts each sector using the XChaCha12 stream -+ * cipher, two passes of an ε-almost-∆-universal (εA∆U) hash function based on ++ * cipher, two passes of an ?-almost-?-universal (?A?U) hash function based on + * NH and Poly1305, and an invocation of the AES-256 block cipher on a single + * 16-byte block. See the paper for details: + * @@ -162,12 +162,12 @@ index 0000000000000..b5738ea2f98f5 + * - Stream cipher: XChaCha12 or XChaCha20 + * - Block cipher: any with a 128-bit block size and 256-bit key + * -+ * This implementation doesn't currently allow other εA∆U hash functions, i.e. ++ * This implementation doesn't currently allow other ?A?U hash functions, i.e. + * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC -+ * but still provably as secure, and also the εA∆U hash function of HBSH is ++ * but still provably as secure, and also the ?A?U hash function of HBSH is + * formally defined to take two inputs (tweak, message) which makes it difficult + * to wrap with the crypto_shash API. Rather, some details need to be handled -+ * here. Nevertheless, if needed in the future, support for other εA∆U hash ++ * here. Nevertheless, if needed in the future, support for other ?A?U hash + * functions could be added here. + */ + @@ -234,7 +234,7 @@ index 0000000000000..b5738ea2f98f5 + bool enc; /* true if encrypting, false if decrypting */ + + /* -+ * The result of the Poly1305 εA∆U hash function applied to ++ * The result of the Poly1305 ?A?U hash function applied to + * (message length, tweak). + */ + le128 header_hash; @@ -354,11 +354,11 @@ index 0000000000000..b5738ea2f98f5 +} + +/* -+ * Apply the Poly1305 εA∆U hash function to (message length, tweak) and save the ++ * Apply the Poly1305 ?A?U hash function to (message length, tweak) and save the + * result to rctx->header_hash. + * + * This value is reused in both the first and second hash steps. Specifically, -+ * it's added to the result of an independently keyed εA∆U hash function (for ++ * it's added to the result of an independently keyed ?A?U hash function (for + * equal length inputs only) taken over the message. This gives the overall + * Adiantum hash of the (tweak, message) pair. + */ @@ -683,7 +683,7 @@ index 0000000000000..b5738ea2f98f5 + goto out_drop_streamcipher; + blockcipher_alg = ictx->blockcipher_spawn.alg; + -+ /* NHPoly1305 εA∆U hash function */ ++ /* NHPoly1305 ?A?U hash function */ + _hash_alg = crypto_alg_mod_lookup("nhpoly1305", CRYPTO_ALG_TYPE_SHASH, + CRYPTO_ALG_TYPE_MASK); + if (IS_ERR(_hash_alg)) { diff --git a/a/content_digest b/N1/content_digest index 323e0e9..806d653 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,18 +1,8 @@ "ref\020181015175424.97147-1-ebiggers@kernel.org\0" - "From\0Eric Biggers <ebiggers@kernel.org>\0" + "From\0ebiggers@kernel.org (Eric Biggers)\0" "Subject\0[RFC PATCH v2 11/12] crypto: adiantum - add Adiantum support\0" "Date\0Mon, 15 Oct 2018 10:54:23 -0700\0" - "To\0linux-crypto@vger.kernel.org\0" - "Cc\0linux-fscrypt@vger.kernel.org" - linux-arm-kernel@lists.infradead.org - linux-kernel@vger.kernel.org - Herbert Xu <herbert@gondor.apana.org.au> - Paul Crowley <paulcrowley@google.com> - Greg Kaiser <gkaiser@google.com> - Michael Halcrow <mhalcrow@google.com> - Jason A . Donenfeld <Jason@zx2c4.com> - Samuel Neves <samuel.c.p.neves@gmail.com> - " Tomer Ashur <tomer.ashur@esat.kuleuven.be>\0" + "To\0linux-arm-kernel@lists.infradead.org\0" "\00:1\0" "b\0" "From: Eric Biggers <ebiggers@google.com>\n" @@ -28,7 +18,7 @@ "Adiantum is a tweakable, length-preserving encryption mode designed for\n" "fast and secure disk encryption, especially on CPUs without dedicated\n" "crypto instructions. Adiantum encrypts each sector using the XChaCha12\n" - "stream cipher, two passes of an \316\265-almost-\342\210\206-universal (\316\265A\342\210\206U) hash\n" + "stream cipher, two passes of an ?-almost-?-universal (?A?U) hash\n" "function, and an invocation of the AES-256 block cipher on a single\n" "16-byte block. On CPUs without AES instructions, Adiantum is much\n" "faster than AES-XTS; for example, on ARM Cortex-A7, on 4096-byte sectors\n" @@ -37,8 +27,8 @@ "\n" "Adiantum is a specialization of the more general HBSH construction. Our\n" "earlier proposal, HPolyC, was also a HBSH specialization, but it used a\n" - "different \316\265A\342\210\206U hash function, one based on Poly1305 only. Adiantum's\n" - "\316\265A\342\210\206U hash function, which is based primarily on the \"NH\" hash function\n" + "different ?A?U hash function, one based on Poly1305 only. Adiantum's\n" + "?A?U hash function, which is based primarily on the \"NH\" hash function\n" "like that used in UMAC (RFC4418), is about twice as fast as HPolyC's;\n" "consequently, Adiantum is about 20% faster than HPolyC.\n" "\n" @@ -47,7 +37,7 @@ "Adiantum's security is reducible to that of XChaCha12 and AES-256,\n" "subject to a security bound. XChaCha12 itself has a security reduction\n" "to ChaCha12. Therefore, one need not \"trust\" Adiantum; one need only\n" - "trust ChaCha12 and AES-256. Note that the \316\265A\342\210\206U hash function is only\n" + "trust ChaCha12 and AES-256. Note that the ?A?U hash function is only\n" "used for its proven combinatorical properties so cannot be \"broken\".\n" "\n" "Adiantum is also a true wide-block encryption mode, so flipping any\n" @@ -122,7 +112,7 @@ "+\t designed for fast and secure disk encryption, especially on\n" "+\t CPUs without dedicated crypto instructions. It encrypts\n" "+\t each sector using the XChaCha12 stream cipher, two passes of\n" - "+\t an \316\265-almost-\342\210\206-universal hash function, and an invocation of\n" + "+\t an ?-almost-?-universal hash function, and an invocation of\n" "+\t the AES-256 block cipher on a single 16-byte block. On CPUs\n" "+\t without AES instructions, Adiantum is much faster than\n" "+\t AES-XTS.\n" @@ -167,7 +157,7 @@ "+ * Adiantum is a tweakable, length-preserving encryption mode designed for fast\n" "+ * and secure disk encryption, especially on CPUs without dedicated crypto\n" "+ * instructions. Adiantum encrypts each sector using the XChaCha12 stream\n" - "+ * cipher, two passes of an \316\265-almost-\342\210\206-universal (\316\265A\342\210\206U) hash function based on\n" + "+ * cipher, two passes of an ?-almost-?-universal (?A?U) hash function based on\n" "+ * NH and Poly1305, and an invocation of the AES-256 block cipher on a single\n" "+ * 16-byte block. See the paper for details:\n" "+ *\n" @@ -179,12 +169,12 @@ "+ *\t- Stream cipher: XChaCha12 or XChaCha20\n" "+ *\t- Block cipher: any with a 128-bit block size and 256-bit key\n" "+ *\n" - "+ * This implementation doesn't currently allow other \316\265A\342\210\206U hash functions, i.e.\n" + "+ * This implementation doesn't currently allow other ?A?U hash functions, i.e.\n" "+ * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC\n" - "+ * but still provably as secure, and also the \316\265A\342\210\206U hash function of HBSH is\n" + "+ * but still provably as secure, and also the ?A?U hash function of HBSH is\n" "+ * formally defined to take two inputs (tweak, message) which makes it difficult\n" "+ * to wrap with the crypto_shash API. Rather, some details need to be handled\n" - "+ * here. Nevertheless, if needed in the future, support for other \316\265A\342\210\206U hash\n" + "+ * here. Nevertheless, if needed in the future, support for other ?A?U hash\n" "+ * functions could be added here.\n" "+ */\n" "+\n" @@ -251,7 +241,7 @@ "+\tbool enc; /* true if encrypting, false if decrypting */\n" "+\n" "+\t/*\n" - "+\t * The result of the Poly1305 \316\265A\342\210\206U hash function applied to\n" + "+\t * The result of the Poly1305 ?A?U hash function applied to\n" "+\t * (message length, tweak).\n" "+\t */\n" "+\tle128 header_hash;\n" @@ -371,11 +361,11 @@ "+}\n" "+\n" "+/*\n" - "+ * Apply the Poly1305 \316\265A\342\210\206U hash function to (message length, tweak) and save the\n" + "+ * Apply the Poly1305 ?A?U hash function to (message length, tweak) and save the\n" "+ * result to rctx->header_hash.\n" "+ *\n" "+ * This value is reused in both the first and second hash steps. Specifically,\n" - "+ * it's added to the result of an independently keyed \316\265A\342\210\206U hash function (for\n" + "+ * it's added to the result of an independently keyed ?A?U hash function (for\n" "+ * equal length inputs only) taken over the message. This gives the overall\n" "+ * Adiantum hash of the (tweak, message) pair.\n" "+ */\n" @@ -700,7 +690,7 @@ "+\t\tgoto out_drop_streamcipher;\n" "+\tblockcipher_alg = ictx->blockcipher_spawn.alg;\n" "+\n" - "+\t/* NHPoly1305 \316\265A\342\210\206U hash function */\n" + "+\t/* NHPoly1305 ?A?U hash function */\n" "+\t_hash_alg = crypto_alg_mod_lookup(\"nhpoly1305\", CRYPTO_ALG_TYPE_SHASH,\n" "+\t\t\t\t\t CRYPTO_ALG_TYPE_MASK);\n" "+\tif (IS_ERR(_hash_alg)) {\n" @@ -1302,4 +1292,4 @@ "-- \n" 2.19.1.331.ge82ca0e54c-goog -8f9c069658fbfde0ba697cfd998d2ca7f7152b345f53c67f35d73a4f1cf7f1cf +c4440f6c694fa3ab8238af4b982a83e230d7f95167df93fa4d00a8c8dc8145e0
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.