lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 8 Aug 2020 10:07:51 -0700
From:   Andy Lutomirski <>
To:     George Spelvin <>
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"

> On Aug 8, 2020, at 8:29 AM, George Spelvin <> wrote:

> And apparently switching to the fastest secure PRNG currently
> in the kernel (get_random_u32() using ChaCha + per-CPU buffers)
> would cause too much performance penalty.

Can someone explain *why* the slow path latency is particularly relevant here?  What workload has the net code generating random numbers in a place where even a whole microsecond is a problem as long as the amortized cost is low?  (I’m not saying I won’t believe this matters, but it’s not obvious to me that it matters.)

>    - Cryptographically strong ChaCha, batched
>    - Cryptographically strong ChaCha, with anti-backtracking.

I think we should just anti-backtrack everything.  With the “fast key erasure” construction, already implemented in my patchset for the buffered bytes, this is extremely fast.

Powered by blists - more mailing lists