summaryrefslogtreecommitdiffstats
path: root/crypto/nhpoly1305.c
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2018-12-06 14:21:59 -0800
committerHerbert Xu <herbert@gondor.apana.org.au>2018-12-13 18:24:59 +0800
commitc6018e1a00b5c70610cdfb3650cc5622c917ed17 (patch)
tree91e7c5e6088a062158e84d1efa9e561d9b6a57f2 /crypto/nhpoly1305.c
parent282c14852d00d6d1b8fadf3e01e4180f02ddda84 (diff)
downloadlinux-c6018e1a00b5c70610cdfb3650cc5622c917ed17.tar.gz
linux-c6018e1a00b5c70610cdfb3650cc5622c917ed17.tar.bz2
linux-c6018e1a00b5c70610cdfb3650cc5622c917ed17.zip
crypto: adiantum - adjust some comments to match latest paper
The 2018-11-28 revision of the Adiantum paper has revised some notation: - 'M' was replaced with 'L' (meaning "Left", for the left-hand part of the message) in the definition of Adiantum hashing, to avoid confusion with the full message - ε-almost-∆-universal is now abbreviated as ε-∆U instead of εA∆U - "block" is now used only to mean block cipher and Poly1305 blocks Also, Adiantum hashing was moved from the appendix to the main paper. To avoid confusion, update relevant comments in the code to match. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/nhpoly1305.c')
-rw-r--r--crypto/nhpoly1305.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/crypto/nhpoly1305.c b/crypto/nhpoly1305.c
index c8385853f699..ec831a5594d8 100644
--- a/crypto/nhpoly1305.c
+++ b/crypto/nhpoly1305.c
@@ -9,15 +9,15 @@
* "NHPoly1305" is the main component of Adiantum hashing.
* Specifically, it is the calculation
*
- * H_M ← Poly1305_{K_M}(NH_{K_N}(pad_{128}(M)))
+ * H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L)))
*
- * from the procedure in section A.5 of the Adiantum paper [1]. It is an
- * ε-almost-∆-universal (εA∆U) hash function for equal-length inputs over
+ * from the procedure in section 6.4 of the Adiantum paper [1]. It is an
+ * ε-almost-∆-universal (ε-∆U) hash function for equal-length inputs over
* Z/(2^{128}Z), where the "∆" operation is addition. It hashes 1024-byte
* chunks of the input with the NH hash function [2], reducing the input length
* by 32x. The resulting NH digests are evaluated as a polynomial in
* GF(2^{130}-5), like in the Poly1305 MAC [3]. Note that the polynomial
- * evaluation by itself would suffice to achieve the εA∆U property; NH is used
+ * evaluation by itself would suffice to achieve the ε-∆U property; NH is used
* for performance since it's over twice as fast as Poly1305.
*
* This is *not* a cryptographic hash function; do not use it as such!