Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > ChaCha is a permutation that requires those constants. No. The actual permutation does not use the constants. They are used in setting up the state & directly affect only the first round. The other 19 rounds do not use the constants; they operate on the more-or-less random state left by the previous round. The actual permutation works fine with any input. The only question is how to set the initial state. I think it is nearsighted, but there is a reasonable argument for using chacha_init_consts(). That is exactly what ChaCha does, and arguably we should not deviate from it. There is no such argument for memset(&chacha_state[12], 0, sizeof(u32) * 4); ChaCha has a counter and a nonce in those bits, so setting them to zero is a deviation. Dropping the memset() and using whatever the existing state has there may not be ideal, but it is certainly better than the zeroes.
