Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp431023pxj; Fri, 11 Jun 2021 02:48:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3JlaeOU6o2X9vxwfC21BsUlCgPV/p0Y+xOXqDFRXEj2RFygvdB/U6styM0OA4HWn2lPHG X-Received: by 2002:a17:906:869a:: with SMTP id g26mr2853131ejx.94.1623404886889; Fri, 11 Jun 2021 02:48:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623404886; cv=none; d=google.com; s=arc-20160816; b=u7/x9qnR6q8cxnvAyN27DOVqG+eBM/Sfh7sLElirLnCaDs8OLnuLLTrf9d/ety+ZSF 1/PERVORZeCu5My4p7lEuzA0gpb6MTUfju+7QVbz6AxY1sCNrBhjqai86nMENci0AgsM 7S89aJ5NsTivKHujFhhcncrWi+vU4fi7CC2nwyLnzJy20qH/gRueyduKKUmP9Vxa5CCa so17EV1IWc4akm4Usy5HN6mfVxuhMIYvv8iXJ1raSI9ip8QVkJUx+HEaf/qxQl/Mi+Aj GmgZmZUhyQBeOuOlKWdJ+RTxgZM1J9/xWXUfkLi0C9d3ZDH6qUk5hAu/BygQSK3X4yls FT5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Iohi461kjcJMARSaZJtMtzgG1Y04ZNwqpJYB6vEREOE=; b=dSeG0tENqG7gFiCWzfedYIa8dq7IQqYi55zJDJKPbPHClI9j+QfnO7IKk7onKSd2kw LABjxURvc5KrTzaA0dkiusmfesQJioy5yKFh0SYxcODiyaDZHsyKh+2fSd2WdM6mVGzc W4CUYMlj+Y4YzAIgB7M8y3qy6IVyRYk1zM4Cehj1mzzItHkhHp1IxQ6nczVKEC6aS8Cn e0qLBvBwCG1ZlFWHfEdfHXV8V+B+GCN+r+HSDwZLY4xOQK4oYE87Rz1R3+nloEuk9gWl xeSMs4mgmZ3AwtSTt/Zn2qEbMNfW+3XLNiXEJf3faTPy0+VQ+WGF1ygihc+adyiPFqxQ dsAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ym8Hcdc8; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t26si4331300edf.425.2021.06.11.02.47.34; Fri, 11 Jun 2021 02:48:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ym8Hcdc8; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229480AbhFKJrE (ORCPT + 99 others); Fri, 11 Jun 2021 05:47:04 -0400 Received: from mail-wm1-f50.google.com ([209.85.128.50]:53861 "EHLO mail-wm1-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231574AbhFKJrE (ORCPT ); Fri, 11 Jun 2021 05:47:04 -0400 Received: by mail-wm1-f50.google.com with SMTP id b205so3037440wmb.3 for ; Fri, 11 Jun 2021 02:45:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Iohi461kjcJMARSaZJtMtzgG1Y04ZNwqpJYB6vEREOE=; b=Ym8Hcdc8JD8YE1hevYjwN5wHnINI60kjdJnJgyB0GfB8M66tpxkw+8vA1wrwbvQcV0 jdFieWUBRPqTqAvQYpzXy1MogRF2dgdZzQ9Ei6bzEB7JQHrQL70S4/95mUZt0lLkAM28 LqarfU7FK856wqutC5XWrjTOB3AVrT5sojFHhEFHyvo2nxH9SOPoKMqyLpQ4kbX73riK mHwrU7n2oNf8Gw3h1x4O7mkW8HgDmNyLF/tlCjW1CYsbFU733TEaWPfY6RGFvVoA8Y4H 7/4TcOUnADQK8ACBIslL7bnRqhwkZVFHc5oaILZfpPfxTwVrx+OXvdQWfp4MCEJ66jTL 3QQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Iohi461kjcJMARSaZJtMtzgG1Y04ZNwqpJYB6vEREOE=; b=HPQipksMsxp6/yv95C7FdAzi/IUDcb1URLZHvEYGHHC+I28t297Ajdf4dUBFHz/fI0 y/8The2u/9xvShdrKfFJ1Lsas/I9+h1eVjMa2H/cP/vjZY+W5JYzkbskgCju3Mwq1IMn cVy2O8NAMnvkZKHK95TY3EEOWQZtaeo+H25mBO62uIlctptXBwNlpq57KabPeac/3VS9 KzWj9eiJNThr/8W9PoA2hpdFACpXOBg1yrL1+CRx8t8uq47jFDfQycLBgvEh1+7E5c8f tUTrn1p70IDRVkgf8tHkuncj36wPAypGAp0x5sVd72UA/JyooLqMq28J2YBvuOJuYQRW oE0w== X-Gm-Message-State: AOAM531zt63vQgUmg/t4vd2fKCaZX8alCG0C4imS7q+9xePCEaIWTcTf NzRC93JTVrkXdJv1sgYBtatGKLZb8wMt5Nk8G0T3mFwVZzw= X-Received: by 2002:a7b:c192:: with SMTP id y18mr19502274wmi.65.1623404645585; Fri, 11 Jun 2021 02:44:05 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sandy Harris Date: Fri, 11 Jun 2021 17:43:52 +0800 Message-ID: Subject: Re: Lockless /dev/random - Performance/Security/Stability improvement To: Linux Crypto Mailing List , "Ted Ts'o" , Stephan Mueller , John Denker , m@ib.tc Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Sandy Harris wrote: > The basic ideas here look good to me; I will look at details later. Looking now, finding some things questionable. Your doc has: " /dev/random needs to be fast, and in the past it relied on using a cryptographic primitive for expansion of PNRG to fill a given request " urandom on the other hand uses a cryptographic primitive to compact rather than expand, This does not seem coherent to me & as far as I can tell, it is wrong as well. /dev/random neither uses a PRNG nor does expansion. /dev/urandom does both, but you seem to be saying the opposite. " We can assume AES preserves confidentiality... That is a reasonable assumption & it does make the design easier, but is it necessary? If I understood some of Ted's writing correctly, one of his design goals was not to have to trust the crypto too much. It seems to me that is a worthy goal. One of John Denker's papers has some quite nice stuff about using a hash function to compress input data while preserving entropy. It needs only quite weak assumptions about the hash. https://www.av8n.com/turbid/ You want to use AES in OFB mode. Why? The existing driver uses ChaCha, I think mainly because it is faster. The classic analysis of how to use a block cipher to build a hash is Preneel et al. https://link.springer.com/content/pdf/10.1007%2F3-540-48329-2_31.pdf As I recall, it examines 64 possibilities & finds only 9 are secure. I do not know if OFB, used as you propose, is one of those. Do you?