[Cryptography] [RFC] random: add new pseudorandom number generator

Sandy Harris sandyinchina at gmail.com
Sun Oct 3 21:22:04 EDT 2021

Bill Stewart <billstewart at pobox.com> wrote:

> How much entropy do you get out of it, and how much key material went
> into it?

Outputs are 64 bits & it gets fully rekeyed -- change key, counter
& XOR mask, total 256 bits -- every 127 iterations.

It also changes the key slightly on every iteration.
tea_key[xtea_iterations & 3] += tea_key[(xtea_iterations+1) & 3] ;

Both the rekeying function and the main function that uses the
output will use a random instruction or a hardware rng in
preference to this if available. Output from this only gets
mixed in occasionally to avoid trusting the other source
completely or used as a fallback if the other source fails.

In the worst case -- no other source configured or it fails --
it is initilalised from the input pool (which in my version of
the driver is filled with bits from /dev/urandom at compile
time) and thereafter rekeys itself with:

static void xtea_self_rekey()
        u64 x ;
        x = random_get_entropy() ;

        spin_lock(&xtea_lock) ;
        tea_counter += x ;
        /* used with ^, so + here */
        tea_mask += xtea_counter() ;
        /* used with +, so ^ here */
        tea_key64[0] ^= xtea_counter() ;
        tea_key64[1] ^= xtea_counter() ;
        tea_counter  ^= xtea_counter() ;
        spin_unlock(&xtea_lock) ;
random_get_entropy() is an existing library function
designed mainly for speed, better than nothing here
but perhaps not ideal.

More information about the cryptography mailing list