Hi Andy, > Agreed. A simpler contruction would be: > > chaining++; > output = H(chaining, secret); > > And this looks a whole lot like Ted's ChaCha20 construction. In that simpler construction with counter-based secret rekeying and in Ted's ChaCha20 construction, the issue is that every X hits, there's a call to get_random_bytes, which has variable performance and entropy issues. Doing it my way with it being time based, in the event that somebody runs ` :(){ :|:& };:`, system performance doesn't suffer because ASLR is making repeated calls to get_random_bytes every 128 or so process creations. In the time based way, the system performance will not suffer. Jason -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html