lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 14 Dec 2013 14:23:07 -0500
From:	Theodore Ts'o <tytso@....edu>
To:	George Spelvin <linux@...izon.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Replace /dev/random input mix polynomial with Brent's xorgen?

On Sat, Dec 14, 2013 at 04:06:07AM -0500, George Spelvin wrote:
> Richard Brent extended some efficient XOR-based PRNGs designed by George
> Marsaglia into a family of "xorgen" generators which are efficent,
> non-sparse, maximal-period polynomials of length 64, 128, 256,... 4096
> bits.
> 
> Anyway, the algorithm boils down to
> 
> t1 = x[i-r];	t2 = x[i-s];
> t1 ^= t1 << a;	t2 ^= t2 << c;
> t1 ^= t1 >> b;	t2 ^= t2 >> d;
> x[i] = t1 ^ t2;
> 
> For various constants r = 2..128, s < r, and shifts a, b, c and d.
> Both 32- and 64-bit versions are included.


The mixing function doesn't have to be a good quality PRNG, since
that's not its function.  One of the things that is highly desirable,
though, is that it "smears" recently mixed in data across the entire
pool as quickly as possible.  The above algorithm is more efficient
because it only needs to touch two memory locations --- but for our
use case, we want to be able to read from multiple memory locations.

In particular, it's important that when we mix the hash back into pool
to prevent backtracking attacks, and extract from the pool again and
re-hash (see extract_entropy), it's important that when we mix in the
hash, it affects the portion of the pool that we rehash.  We could
work around this if we changed the mixing function, true, but I'm not
sure I see the benefit of making this change.

I'm much more inclined to think about changing how we generate random
numbers from the output pool by switching from using SHA to AES in
some one-way random function mode (i.e., such as the Davies-Meyer
construction), since that is where we are spending most of our CPU
time in the random driver at the moment.

Regards,

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ