[Cryptography] [RFC] random: add new pseudorandom number generator

Phillip Hallam-Baker phill at hallambaker.com
Mon Oct 4 00:28:24 EDT 2021

On Sun, Oct 3, 2021 at 4:56 PM Ron Garret <ron at flownet.com> wrote:

> On Oct 2, 2021, at 5:08 PM, Jon Callas <jon at callas.org> wrote:
> >
> >
> >> On Sep 16, 2021, at 20:18, Sandy Harris <sandyinchina at gmail.com> wrote:
> >>
> >> I have a PRNG that I want to use within the Linux random(4) driver. It
> >> looks remarkably strong to me, but analysis from others is needed.
> >
> > A good block cipher in counter mode makes a pretty-okay PRNG. I say
> pretty-okay only because I would like my PRNG not to be invertible.
> Iterated hash functions are better.
> Whatever you use you want to truncate the output, otherwise you won’t get
> repetitions, which you actually want from a good PRNG.
> rg

I am currently relying on Microsoft for the Mesh RNG. They have much more
time to do a good job on this than I do.

But I would like to have a belt and braces approach. If I make someone else
the weak point in my system, I am inviting the rubber hose squad (or worse)
to attack them.

So the approach I am thinking of is to encrypt the output of the .NET RNG
with a symmetric cipher using a key derived from a 'secret' primary seed
set aside for that purpose. Something like:

kenc = KDF (primary, DateTime.Now.ToString())

Of course we can kibtz whether to use AES or a stream cipher or in what

ECB should be adequate but is not if you have an attacker willing to go for
the really gross technique of releasing the same random string multiple
times to create a side channel.

AES (XOR (rng, counter), kenc) is probably sufficient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211004/74efc80d/attachment.htm>

More information about the cryptography mailing list