| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8db53465-381f-428a-8fea-7386b4a97557@gmail.com>
Date: Sat, 22 Mar 2025 19:24:57 +0100
From: Markus Theil <theil.markus@...il.com>
To: Simon Horman <horms@...nel.org>
Cc: linux-crypto@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, akpm@...ux-foundation.org, Jason@...c4.com
Subject: Re: [PATCH 2/2] prandom/random32: switch to Xoshiro256++
On 2/17/25 12:18, Simon Horman wrote:
> On Fri, Feb 14, 2025 at 09:18:40AM +0100, Markus Theil wrote:
>> The current Linux PRNG is based on LFSR113, which means:
>> - needs some warmup rounds to yield better statistical properties
>> - seeds/initial states must be of certain structure
>> - does not pass L’Ecuyer's BigCrush in TestU01
>>
>> While of course, there is no clear "best" PRNG, replace with
>> Xoshiro256++, which seams to be a sensible replacement, from
>> todays point of view:
>> - only needs one bit set to 1 in the seed, needs no warmup, when
>> seeded with splitmix64.
>> - Also has statistical evaluation, like LFSR113.
>> - Passes BigCrush in TestU01.
>>
>> The code got smaller, because some edge cases are ruled out now.
>> I kept the test vectors and adapted them to this RNG.
>>
>> Signed-off-by: Markus Theil <theil.markus@...il.com>
> ...
>
>> diff --git a/lib/random32.c b/lib/random32.c
> ...
>
>> +/**
>> + * prandom_seed_state - set seed for prandom_u32_state().
>> + * @state: pointer to state structure to receive the seed.
>> + * @seed: arbitrary 64-bit value to use as a seed.
>> + *
>> + * splitmix64 init as suggested for xoshiro256++
>> + * See: https://prng.di.unimi.it/splitmix64.c
>> + */
>> +void prandom_seed_state(struct rnd_state *state, u64 seed)
>> {
>> - /* Calling RNG ten times to satisfy recurrence condition */
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> - prandom_u32_state(state);
>> + int i;
>> +
>> + for (i = 0; i < ARRAY_SIZE(state->s); ++i) {
>> + seed += 0x9e3779b97f4a7c15;
>> + u64 z = seed;
>> + z = (z ^ (z >> 30)) * 0xbf58476d1ce4e5b9;
>> + z = (z ^ (z >> 27)) * 0x94d049bb133111eb;
>> + state->s[i] = z ^ (z >> 31);
> nit: The indentation seems off here.
Shall I resend for this line?
>> + }
>> }
>> +EXPORT_SYMBOL(prandom_seed_state);
> ...
Download attachment "OpenPGP_0xFEE64346C8BF92AE.asc" of type "application/pgp-keys" (3160 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists