lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 7 Aug 2020 11:10:16 -0700
From:   Linus Torvalds <>
To:     Andy Lutomirski <>
Cc:     Willy Tarreau <>, Marc Plumb <>,
        "Theodore Ts'o" <>, Netdev <>,
        Amit Klein <>,
        Eric Dumazet <>,
        "Jason A. Donenfeld" <>,
        Andrew Lutomirski <>,
        Kees Cook <>,
        Thomas Gleixner <>,
        Peter Zijlstra <>,
        stable <>
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"

On Fri, Aug 7, 2020 at 10:55 AM Andy Lutomirski <> wrote:
> I think the real random.c can run plenty fast. It’s ChaCha20 plus ludicrous overhead right now.

I doubt it.

I tried something very much like that in user space to just see how
many cycles it ended up being.

I made a "just raw ChaCha20", and it was already much too slow for
what some of the networking people claim to want.

And maybe they are asking for too much, but if they think it's too
slow, they'll not use it, and then we're back to square one.

Now, what *might* be acceptable is to not do ChaCha20, but simply do a
single double-round of it.

So after doing 10 prandom_u32() calls, you'd have done a full
ChaCha20. I didn't actually try that, but from looking at the costs
from trying the full thing, I think it might be in the right ballpark.

How does that sound to people?


Powered by blists - more mailing lists