bug-bash
[Top][All Lists]

## Re: \$RANDOM not Cryptographically secure pseudorandom number generator

 From: Ole Tange Subject: Re: \$RANDOM not Cryptographically secure pseudorandom number generator Date: Mon, 3 Dec 2018 00:13:31 +0100

```On Wed, Nov 21, 2018 at 11:45 PM Chet Ramey <address@hidden> wrote:
> On 11/21/18 3:07 PM, Ole Tange wrote:
> > 'brand' in variables.c is comparable in size to ChaCha20 and ChaCha20
> > is not completely broken:
> > https://en.wikipedia.org/wiki/Salsa20
> >
> > Could we please replace 'brand' with ChaCha20?
>
> What is your application that you need something more complicated than
> the existing PRNG?

I do not have that currently, but it seems like a fairly small change
and it seems odd to have modern software not use modern algorithms.

Git's use of SHA1 seems to be a prime example of what can go wrong:
https://shattered.io/

If you look at the code it is really not much bigger:

#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
#define QR(a, b, c, d) (            \
a += b,  d ^= a,  d = ROTL(d,16),    \
c += d,  b ^= c,  b = ROTL(b,12),    \
a += b,  d ^= a,  d = ROTL(d, 8),    \
c += d,  b ^= c,  b = ROTL(b, 7))
#define ROUNDS 20

void chacha_block(uint32_t out, uint32_t const in)
{
int i;
uint32_t x;

for (i = 0; i < 16; ++i)
x[i] = in[i];
// 10 loops × 2 rounds/loop = 20 rounds
for (i = 0; i < ROUNDS; i += 2) {
// Odd round
QR(x, x, x[ 8], x); // column 0
QR(x, x, x[ 9], x); // column 1
QR(x, x, x, x); // column 2
QR(x, x, x, x); // column 3
// Even round
QR(x, x, x, x); // diagonal 1 (main diagonal)
QR(x, x, x, x); // diagonal 2
QR(x, x, x[ 8], x); // diagonal 3
QR(x, x, x[ 9], x); // diagonal 4
}
for (i = 0; i < 16; ++i)
out[i] = x[i] + in[i];
}

Can you elaborate on why you think it is a bad idea to change an
insecure PRNG into a non-broken one?

/Ole

```