From: "H. Peter Anvin" Subject: Re: [PATCH][RESEND 3] hwrng: add randomness to system from rng sources Date: Sun, 16 Mar 2014 19:12:05 -0700 Message-ID: <532659F5.2030005@zytor.com> References: <20140303235148.GA7601@www.outflux.net> <20140304153841.GN1872@titan.lakedaemon.net> <20140304195356.GS1872@titan.lakedaemon.net> <1393972797.8344.190.camel@calx> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Jason Cooper , "Theodore Ts'o" , LKML , Herbert Xu , Rusty Russell , Satoru Takeuchi , linux-crypto , Andrew Morton To: Matt Mackall , Kees Cook Return-path: Received: from terminus.zytor.com ([198.137.202.10]:56864 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755818AbaCQCMr (ORCPT ); Sun, 16 Mar 2014 22:12:47 -0400 In-Reply-To: <1393972797.8344.190.camel@calx> Sender: linux-crypto-owner@vger.kernel.org List-ID: On 03/04/2014 02:39 PM, Matt Mackall wrote: > > [temporarily coming out of retirement to provide a clue] > > The pool mixing function is intentionally _reversible_. This is a > crucial security property. > > That means, if I have an initial secret pool state X, and hostile > attacker controlled data Y, then we can do: > > X' = mix(X, Y) > > and > > X = unmix(X', Y) > > We can see from this that the combination of (X' and Y) still contain > the information that was originally in X. Since it's clearly not in Y.. > it must all remain in X'. > This of course assumes that the attacker doesn't know the state of the pool X. The other thing to note is that reversible doesn't necessarily mean linear (the current mixing function is linear.) AES, for example, is reversible (if and only if you possess the key) but is highly nonlinear. I'm not saying we should use AES to mix the pool -- it is almost guaranteed to be too expensive. -hpa