From: Eric Biggers <ebiggers@kernel.org>
To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>
Subject: Re: ghash
Date: Fri, 19 Jul 2019 15:35:06 -0700 [thread overview]
Message-ID: <20190719223505.GF1422@gmail.com> (raw)
In-Reply-To: <20190719214811.GE1422@gmail.com>
On Fri, Jul 19, 2019 at 02:48:11PM -0700, Eric Biggers wrote:
> >
> > > So are you proposing that it be renamed? Or are you proposing that a multi
> > > argument hashing API be added? Or are you proposing that universal functions
> > > not be exposed through the crypto API? What specifically is your constructive
> > > suggestion to improve things?
> > >
> > I guess my constructive suggestion *for the future* would be to be more careful
> > with the naming. Don't give something a "known" name if it does not comply with
> > the matching specification. Renaming stuff now is probably counter-productive,
> > but putting some remarks somewhere (near the actual test vectors may work?)
> > about implementation x not actually being known entity X would be nice.
> > (Or even just some reference on where the test vectors came from!)
> >
>
> I think a comment at the top of ghash-generic.c would be helpful, similar to the
> one I wrote in nhpoly1305.c explaining that particular algorithm.
>
> I'm surprised that you spent "days" debugging this, though. Since the API gives
> you a single data stream, surely you would have had to check at some point how
> the two formal arguments (AAD, ciphertext) were encoded into it? Were you just
> passing the whole thing as the AAD or something? Also to reiterate, it actually
> does implement the GHASH algorithm correctly; the two formal parameters just
> have to be encoded into the single data stream in a particular way.
>
Hmm, NIST SP 800-38D actually defines GHASH to take one argument, same as the
Linux version. So even outside Linux, there is no consensus on whether "GHASH"
refers to the one argument or two argument versions.
I.e. even if we had an API where the AAD and ciphertext were passed in
separately, which is apparently what you'd prefer, people would complain that it
doesn't match the NIST standard version.
Of course, in the end the actually important thing is that everyone agrees on
GCM, not that they agree on GHASH.
- Eric
next prev parent reply other threads:[~2019-07-19 22:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-19 14:05 ghash Pascal Van Leeuwen
2019-07-19 16:16 ` ghash Eric Biggers
2019-07-19 19:26 ` ghash Pascal Van Leeuwen
2019-07-19 19:56 ` ghash Eric Biggers
2019-07-19 20:49 ` ghash Pascal Van Leeuwen
2019-07-19 21:48 ` ghash Eric Biggers
2019-07-19 22:35 ` Eric Biggers [this message]
2019-07-19 23:25 ` ghash Pascal Van Leeuwen
2019-07-19 23:09 ` ghash Pascal Van Leeuwen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190719223505.GF1422@gmail.com \
--to=ebiggers@kernel.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=pvanleeuwen@verimatrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).