On Wed, Jul 29, 2020 at 09:16:55AM +0300, Ard Biesheuvel wrote: > > Only state[12] needs to be preserved, since it contains the block > counter. Everything else in the state can be derived from the IV. > > So by doing the init unconditionally, and overriding state[12] to the > captured value (if it exists), we can get rid of the redundant copy of > state, which also avoids inconsistencies if IV and state are out of > sync. Good point. In fact we could try to put the counter back into the IV just like CTR. Let me have a play with this to see what it would look like. Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
