diff options
author | Eric Biggers <ebiggers@google.com> | 2018-12-06 14:21:59 -0800 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2018-12-13 18:24:59 +0800 |
commit | c6018e1a00b5c70610cdfb3650cc5622c917ed17 (patch) | |
tree | 91e7c5e6088a062158e84d1efa9e561d9b6a57f2 /crypto/nhpoly1305.c | |
parent | 282c14852d00d6d1b8fadf3e01e4180f02ddda84 (diff) | |
download | lwn-c6018e1a00b5c70610cdfb3650cc5622c917ed17.tar.gz lwn-c6018e1a00b5c70610cdfb3650cc5622c917ed17.zip |
crypto: adiantum - adjust some comments to match latest paper
The 2018-11-28 revision of the Adiantum paper has revised some notation:
- 'M' was replaced with 'L' (meaning "Left", for the left-hand part of
the message) in the definition of Adiantum hashing, to avoid confusion
with the full message
- ε-almost-∆-universal is now abbreviated as ε-∆U instead of εA∆U
- "block" is now used only to mean block cipher and Poly1305 blocks
Also, Adiantum hashing was moved from the appendix to the main paper.
To avoid confusion, update relevant comments in the code to match.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/nhpoly1305.c')
-rw-r--r-- | crypto/nhpoly1305.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/crypto/nhpoly1305.c b/crypto/nhpoly1305.c index c8385853f699..ec831a5594d8 100644 --- a/crypto/nhpoly1305.c +++ b/crypto/nhpoly1305.c @@ -9,15 +9,15 @@ * "NHPoly1305" is the main component of Adiantum hashing. * Specifically, it is the calculation * - * H_M ← Poly1305_{K_M}(NH_{K_N}(pad_{128}(M))) + * H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L))) * - * from the procedure in section A.5 of the Adiantum paper [1]. It is an - * ε-almost-∆-universal (εA∆U) hash function for equal-length inputs over + * from the procedure in section 6.4 of the Adiantum paper [1]. It is an + * ε-almost-∆-universal (ε-∆U) hash function for equal-length inputs over * Z/(2^{128}Z), where the "∆" operation is addition. It hashes 1024-byte * chunks of the input with the NH hash function [2], reducing the input length * by 32x. The resulting NH digests are evaluated as a polynomial in * GF(2^{130}-5), like in the Poly1305 MAC [3]. Note that the polynomial - * evaluation by itself would suffice to achieve the εA∆U property; NH is used + * evaluation by itself would suffice to achieve the ε-∆U property; NH is used * for performance since it's over twice as fast as Poly1305. * * This is *not* a cryptographic hash function; do not use it as such! |