Am Freitag, 22. April 2016, 15:58:19 schrieb Fedor Brunner: Hi Fedor,
> Hi Stephan, > could you please compare your RNG design with OpenBSD arc4random based > on ChaCha20. Ok, I try in the following. But please bear with me as I have not studied the OpenBSD RNG design to the fullest extent. Hence, if I am mistaken about one or another aspect of the OpenBSD RNG, I would ask for being corrected. src/sys/dev/rnd.c Implements the OpenBSD RNG. - The OpenBSD RNG hooks itself into various devices like HID, interrupt handler (similar to the legacy /dev/random of Linux). It uses timing and additional data depending on the callback location. The LRNG hooks itself into the interrupt handler and obtains a high-resolution time stamp. - The OpenBSD RNG uses an LFSR which looks like the Mersenne Twister to inject data into the entropy pool. The LRNG collapses the timing data into one bit via XOR and concatenates the individual bits. - After extracting the data from the entropy pool, a SHA-512 hash is calculated over the extracted bits and returned to the caller (it does not use the hash as backtracking resistance, but injects a timestamp into the pool to prevent identical SHA values). The LRNG simply reads out the required data from the entropy, but ensures that only newly added data is used (i.e. no bit is used twice). - The OpenBSD RNG uses a DRNG based on Chacha. The LRNG uses an SP800-90A DRBG. I do not want to enter the discussion about the properties of the Chacha DRNG compared to the AIS20/31 or SP800-90C requirements as I have not studied the DRNG too much. - It *looks* like the OpenBSD does not block and produces a data stream like /dev/urandom. The purpose of the LRNG /dev/random (which *seems* to be not present in the OpenBSD code) is to provide random data with information theoretical entropy (see AIS20/31 NTG.1 requirements). - The OpenBSD RNG does not maintain any entropy counter logic just like the LRNG. Considering that the OpenBSD /dev/random does not block, a data stream with strong cryptographic protection is generated just like provided with the LRNG. In addition, the LRNG allows the generation of random numbers with information theoretical entropy. - The OpenBSD RNG uses Chacha as raw cipher. The LRNG uses the Linux kernel crypto API SP800-90A DRBG which allows at compile time to select whether the CTR, Hash or HMAC DRBG is used. Furthermore, the kernel crypto API allows the use of assembler or hardware-supported cipher implementations which are selected at runtime. Ciao Stephan _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography