Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1285304pxb; Fri, 21 Jan 2022 14:21:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJxy3I5vIo+LWrHnH4Qx1ro5VLGOCfN2nPSu0i6/jFEjfFqcNDvjfi/UcR0lgP/i5yZsVwOc X-Received: by 2002:a17:90b:3b83:: with SMTP id pc3mr2762407pjb.44.1642803697523; Fri, 21 Jan 2022 14:21:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642803697; cv=none; d=google.com; s=arc-20160816; b=BpQKr2F/knxjhnrl7InQadJP0b2JKXmNAVoGFnvaiJPtM9hJtZI7d9RTw0xgL64TFe xu1gHjn/P4g1bQE7P5dlbNCBQThtjO6ysimozdUIvSn6+UgxJ0IgztlkSPbnV42DOR7Z z0Ue9MWWj/W6IJWZ9EC9AUKn+ETGMHvOduldnnqbuEKIxnImPYlPxdLysIQwiJ6b+g73 B7NgKF8HUJ3A0L48mzKwFuH2/yBst7PHRfh4ovQ0Abr41oP30wIJPnNSe73C29WuZa30 NNLrB4W1zt/JgMYAxBRA8mIm9mNrkT6xu8Wxrtx028OaI+nGYtB2VfcOm21Os9iZfiS2 hh8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Lv74wIiwMPDqaNPwfztmRe8C/iprL6Ux2au1Eyo8ChE=; b=kcVmrXzImEIdh+x64vTrKj/DP83P6fEUoFgtqETNjVs0NuhExMN/WeJyEUPmjqjbvI l9lijpoxavMR7V/z/0fHGwNeUf/mRgRZkz8CKXEN3c4xSMqeafB4fAA/zD9l95pwfDg2 j5GwQcZE9CS+KzR65Qxz3A1zNjSNkbodAMDkxzmKkCDLA2gLNfmSnp4uptm3czFYu7PP 4WPj4ffsSRiiwVVUsg4Ra5jbAr7hIRnmcHzfFNgCSRj+74ZX7eosZ+vVFjtv/Ii7nHLk 7fABVbdvp7zkFXZ595xe0Ax7xP3nliKVRTbFwcZw+smIJiLHgXXPRrR2kcn/79i5OFMm hm0g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p20si6916456plq.541.2022.01.21.14.21.22; Fri, 21 Jan 2022 14:21:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1376666AbiATPew (ORCPT + 99 others); Thu, 20 Jan 2022 10:34:52 -0500 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:33237 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1376742AbiATPes (ORCPT ); Thu, 20 Jan 2022 10:34:48 -0500 Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 20KFYX7q023612 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 20 Jan 2022 10:34:34 -0500 Received: by cwcc.thunk.org (Postfix, from userid 15806) id 6A80615C41B6; Thu, 20 Jan 2022 10:34:33 -0500 (EST) Date: Thu, 20 Jan 2022 10:34:33 -0500 From: "Theodore Ts'o" To: Sandy Harris Cc: Linux Crypto Mailing List , "Jason A. Donenfeld" , Herbert Xu Subject: Re: random(4) question Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Jan 20, 2022 at 06:39:31PM +0800, Sandy Harris wrote: > > Like the previous version based on SHA1, this produces an output half > the hash size which is likely a fine idea since we do not want to > expose the full hash output to an enemy. Unlike the older code, > though, this does expose some hash output. Well, as the comment says, we do this because we want to prevent backtracking attacks --- where the attacker knows the state of the pool plus the current outputs, and is trying to go back in time to figure out previous outputs. Whether we XOR the halves together or just reveal half the bits, either will achieve this goal. Note that we're actually no longer directly exposing this output to the enemy, since extract_buf is now only being use to extract entropy from the input pool into the CRNG. And if the attacker can intercept the values being used to reseed the CRNG, we've got bigger problems. :-) Given how extrat_buf is being used today, assuming that we are confident in the cryptosecurity of the CHACHA20 algorithm, it's probably a bit of overkill as it is. However, it's not like this is on the hot path from a performance perspective, and a bit of over-engineering is not a bad thing. Cheers, - Ted