Re: cprng_fast implementation benchmarks

To: <Paul_Koning%Dell.com@localhost>
Subject: Re: cprng_fast implementation benchmarks
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Thu, 24 Apr 2014 20:03:49 +0100

<Paul_Koning%Dell.com@localhost> wrote:
> > There are cases when both security and performance matters.  Consider
> > TCP ISN generation or UDP port number generation (i.e. randomisation).
> > There are known security issues if these numbers can be predicted, but
> > at the same time, high performance penalty is undesirable in the network
> > stack.  However, the requirements are a bit different: the life time of
> > a packet or connection tends to be much smaller than of some encrypted
> > and permanently stored piece of information.  Arguably, given a short
> > life time, a weaker (but faster) CPRNG is enough for making potential
> > attacks unpractical.  Do you disagree?
> 
> I think I do.  The description you gave seems to amount to: we need
> something that is better than a PRNG but it doesn’t have to be as strong
> as the real crypto RNG we have.  But that’s not a particularly precise
> definition, and it’s hard to judge whether a proposed implementation
> meets the requirements, or not.  
> 
> In general, where security issues are involved, it is desirable to have
> properties expressed quantitatively.  For example, security equivalent to
> brute force search over a 2^128 (128 bit) key space.  Or brute force
> over  some other 2^n (n bit) key space.
> 
> Knowing that there are “security issues” with UDP port number generation
> may mean that a PRNG is inadequate.  Deciding what sort of generator IS
> adequate, though, means starting with a more definite description of the
> nature of the attacks that we’re worried about, and the strength of the
> defense that is desired.

But you do not disagree with the concept of having weak and strong CPRNG,
do you?  I think what you are basically saying is that we should take more
academic approach in a way we classify "weak" and "strong".  Yes, I agree
with that.  Thor made a brief overview in his "Towards design criteria for
cprng_fast()" email which is somewhat a step to that direction, but doing
it properly requires a study.  That requires human resources which we may
or may not have.  Do you know potential volunteers?

Meanwhile, Thor's work is a step forwards from what we have in the tree,
regardless whether weak/strong definition improves or not.

-- 
Mindaugas

Follow-Ups:
- Re: cprng_fast implementation benchmarks
  - From: Paul_Koning

References:
- cprng_fast implementation benchmarks
  - From: Thor Lancelot Simon
- Re: cprng_fast implementation benchmarks
  - From: Thor Lancelot Simon
- Re: cprng_fast implementation benchmarks
  - From: Paul_Koning
- Re: cprng_fast implementation benchmarks
  - From: Thor Lancelot Simon
- Re: cprng_fast implementation benchmarks
  - From: Paul_Koning
- Re: cprng_fast implementation benchmarks
  - From: Mindaugas Rasiukevicius
- Re: cprng_fast implementation benchmarks
  - From: Paul_Koning

Prev by Date: Re: cprng_fast implementation benchmarks
Next by Date: Re: cprng_fast implementation benchmarks
Previous by Thread: Re: cprng_fast implementation benchmarks
Next by Thread: Re: cprng_fast implementation benchmarks
Indexes:

Home | Main Index | Thread Index | Old Index