Date: Sat, 10 Apr 2004 15:55:42 -0700 (PDT) From: Nate Lawson <nate@root.org> To: Mark Murray <mark@grondar.org> Cc: cvs-src@FreeBSD.ORG Subject: Re: cvs commit: src/sys/modules/random Makefile src/sys/dev/random randomdev.h randomdev_soft.c randomdev_soft.h yar Message-ID: <20040410155306.W58852@root.org> In-Reply-To: <200404101929.i3AJTJ8P070553@grimreaper.grondar.org> References: <200404101929.i3AJTJ8P070553@grimreaper.grondar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 10 Apr 2004, Mark Murray wrote: > Richard Coleman writes: > > > If it is felt that further whitening of the VIA C3 RNG is needed, > > > then I believe that Yarrow would be overkill, and that a much smaller > > > hash function will be sufficient. > > > > What do you have in mind? AES is already one of the faster ciphers > > around. You could reduce the number of rounds used for AES, but it > > would be hard to estimate the cryptographic strength. > > The C3 chip has AES on board, so something like this may do the trick: > > key = C3RNG(); > seed ^= C3RNG(); /* seed is static */ > output = encryptAES(key, seed); How much assurance is gained in designing a new PRNG that duplicates an existing PRNG already available and is used with only one source of entropy? > Cryptographic strength is of lesser importance here, as the key > input is Very Nicely Random(tm), however AES's speed and spectral > qualities make it a good choice. It is important to remember that > the hash is purely there to destroy any trends/tendencies that the > hardware generator may have, and for that purpose an LFSR may work > just fine. The hash is a "Whitener", and its requirements here are > that its output spectrum is flat. An LFSR is not a cryptographic hash function. Do not use one to implement a PRNG. -Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040410155306.W58852>