On Sun, May 29, 2016 at 09:51:59PM +0200, Stephan Mueller wrote:
>
> I personally am not sure that taking some arbitrary cipher and turning it
> into
> a DRNG by simply using a self-feeding loop based on the ideas of X9.31
> Appendix A2.4 is good. Chacha20 is a good cipher, but is it equally good for
> a
> DRNG? I do not know. There are too little assessments from mathematicians out
> there regarding that topic.
If ChCha20 is a good (stream) cipher, it must be a good DRNG by
definition. In other words, if you can predict the output of
ChaCha20-base DRNG with any accuracy greater than chance, this can be
used as a wedge to attack the stream cipher..
I will note that OpenBSD's "ARC4" random number generator is currently
using ChaCha20, BTW.
Regards,
- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
