Subject: Re: CVS commit: src/sbin/newfs
To: Perry E. Metzger <firstname.lastname@example.org>
From: David Laight <email@example.com>
Date: 09/04/2003 18:42:34
> > Maybe arc4random() could be used instead?
> I'm not a huge believer in arc4random(), but it would be a strict (and
> indeed substantial) improvement over a linear congruential generator,
> yes. I would suggest making the alteration, and in the longer run we
> should discuss improved algorithms.
Actually random() insn't a 'linear congruential generator', it is
an 'Additive generator'. But to quote Schneier:
Additive generators (sometimes called lagged Fibonacci generators) are
extremely efficient because they produce random words instead of randmon
bits. They are not secure on their own, but can be used as building
blocks for secure generators.
He then suggests a couple of generators that were not (at the time of
The RC4 based random sequence generator is probably secure, given
unknown key state. RC4 itself is a trademarked - so an implementation
has to call itself something else. There could also be licensing
issues if the routine is used in a commercial product.
David Laight: firstname.lastname@example.org