Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1247509pxb; Fri, 21 Jan 2022 13:17:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJztkIrbuaNTVy8Y+uQdaOfqgLxYKeSxWgaFMKyJ+KcHvZJH7Re7pTA6n2tUh36niW8aOso9 X-Received: by 2002:a17:903:120a:b0:149:8b16:ee19 with SMTP id l10-20020a170903120a00b001498b16ee19mr5748214plh.11.1642799850199; Fri, 21 Jan 2022 13:17:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642799850; cv=none; d=google.com; s=arc-20160816; b=s9Dv6lKY/uy+JUdUDdk1r62h7JH5qxfdYC0xUdhE7rCU/g2tX137XB+dyMgMRano8U dq3qiqWulhnpvtKsBGoGO1goCujbkpi1dGsfGHWMAhLRzd0/bCcpGWlts72g8wzlWxZA VpCOuGFhVxViigBhfzW3KyE8GEqiCcZonoLcT0g7vmSmUexPlS7x3u5A+ugumpsJYK+y pCr37kspn/Wk82NcEghNK0nrILXBAbxVc1e4bW8lN35KbxDLw4zA9yuPtvNPneF10r3q SGC0+iuwY6uCBy3Fu3vKso8EoGCMncwS0oLTma981QZ3AGM18kNvmlr0qWT5jFECu8N4 Vrcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:mime-version :dkim-signature; bh=MQJvAvKBSt+L7ln5Xb4bvHfZ0heZR7NHwzocvUOgYDc=; b=k3iHnPIawmHZ6lTwMVp2T2mmtI9VFjG73Yh3+DFU4jHANHWS1VnfTMsrlo0yVhk8IT DIbNQnMB1SPp+9//4z/ZuGRMVvqgwXKY3Id3whgHz/hLdsvwW+WxEWzgnFST/hi3z1Hq j0xLaoblnPGqEd9RzkXyB1bcnSloluuGg9D4I2ugQayuV4i3SkwYiNu8wiQmuAPZZxrJ vDN350Sh8Yx3/d5hUSXJFaXhFioFsrKnkwty73ox2xyVX9NAEsRL2jpobBC+j2dbt2b3 zrcGe2/UEVQ0oyM/g5NvkL0ujIXC9oOJGeNARAe8WHbtmZxzf8S2HrB+IetCxz0VATe2 W9Uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=FmbXdoJG; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d16si8870535pfv.175.2022.01.21.13.17.17; Fri, 21 Jan 2022 13:17:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=FmbXdoJG; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1376343AbiATKjq (ORCPT + 99 others); Thu, 20 Jan 2022 05:39:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35386 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1376344AbiATKjp (ORCPT ); Thu, 20 Jan 2022 05:39:45 -0500 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2D9CC061574 for ; Thu, 20 Jan 2022 02:39:44 -0800 (PST) Received: by mail-ed1-x533.google.com with SMTP id f21so26672897eds.11 for ; Thu, 20 Jan 2022 02:39:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=MQJvAvKBSt+L7ln5Xb4bvHfZ0heZR7NHwzocvUOgYDc=; b=FmbXdoJGX2F/fwJBGzMvkSJkUastSuYdwaYcqxqr1JTel1Kx5ikKDf/uNVsQuxxf3A 0k8xYq9Q/5iWFpbhtI7ULGpPSKsM2hckfxJq+Iyc+1AHP93/8Bx3MaT+i33ILGakY1Ap hB5a1raLuaf6wJp6QdmjggCNoTJMZr31MNwUDbBdlMJFQLko/++gnU9pwGPF6n3Yu6ld eUvMIHgPnudYogkIpZlW4GmQGbSMTSIcNd3hSfcppAKlrLPYGqItzVvoNCvyJo8u0LWa vZa6Q3NvxK/L7Vov+yerJMcnnmsIbsTCZbdGWgvCUcCsbDhQC3BZDbVPwftNeLJ78lX4 YcYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=MQJvAvKBSt+L7ln5Xb4bvHfZ0heZR7NHwzocvUOgYDc=; b=dczORxcDx0ByP70o7zMcSzVtaf6+RrpzjODEbDJhXd51ffr2JrhT2MxeFfDzlR83eZ 40g/JyMKzl4Q1GLXQ+oveJRccGGC5fxZkwc9W95yoaICRGsMJRiSD5yTQKaZI/j2vP2+ kUjG9OKLAml4Cp2wj5HVVzHeSeF0/Hz6X/Hkk9PLsMowFtcRho+NkNi9Sj82uYuPMnca JCLDjmz3yrh33BSROAm88UlEON0r4ve+RQ903Zu5aPCb3gcwlk5yUB8YHPSx/rCOvLgg xIaJK5tB7kk1/Eu1YkqTH7wf1FZecP3rdQDoquxHLNPUS0k+hXEE0hqxD09YCGL4zQWr v3cg== X-Gm-Message-State: AOAM530ozLy/o14Vu5gN4Ksaquek/z+0KTZ1lVXnJvlrHRIIL/+V4JG7 Klk6Rr1yXQQ45hCOf0Ew2Ryg4ZEfdE3H4H+O+kbNuzuF0dk= X-Received: by 2002:a17:906:7d97:: with SMTP id v23mr8969707ejo.128.1642675183248; Thu, 20 Jan 2022 02:39:43 -0800 (PST) MIME-Version: 1.0 From: Sandy Harris Date: Thu, 20 Jan 2022 18:39:31 +0800 Message-ID: Subject: random(4) question To: Linux Crypto Mailing List , "Jason A. Donenfeld" , "Ted Ts'o" , Herbert Xu Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org I see this in the current random.c /* Note that EXTRACT_SIZE is half of hash size here, because above * we've dumped the full length back into mixer. By reducing the * amount that we emit, we retain a level of forward secrecy. */ memcpy(out, hash, EXTRACT_SIZE); Like the previous version based on SHA1, this produces an output half the hash size which is likely a fine idea since we do not want to expose the full hash output to an enemy. Unlike the older code, though, this does expose some hash output. The older code split the 160-bit hash in half and XORed the halves together to get an 80-bit output. Should we do that here for 256-bit output? Dan Bernstein has something called "SURF: Simple Unpredictable Random Function." that takes 384 bits in & gives 256 out. https://cr.yp.to/papers.html#surf I'm not sure that would work for us since it needs a 1024-bit key and has 32 rounds, but it seems worth considering.