-
Notifications
You must be signed in to change notification settings - Fork 432
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key erasure AES variant #299
Comments
Your point is that it's possible to produce very fast cryptographic generators for bulk output by using CPU-specific features? Cool. But I don't much like comparing apples to pineapples. I suggest this would make a good external crate, but not be such a good inclusion with Rand itself since:
To be fair, we should probably consider SIMD-optimised generators at some point, though I don't know whether it would be worth making them the default generators (for many applications where randomness is consumed in small quantities the performance enhancements may not be significant). |
Could always pick a SIMD specialisation on when user calls a fill_buffer with a larger buffer, and otherwise use the non-SIMD implementation with less throughput but possibly better latency characteristics. |
Yes, but SIMD probably makes more sense with buffer-backed RNGs like the current cryptographic ones (generate a block at once). |
Why? Our current
It gives forward secrecy. This is a nice property to have, because it means that i.e. compromising a server does not compromise previously generated secrets (if they are not stored in some other form). In that regard it is similar to
Rand can still be portable by falling back to something else on other platforms.
That is a fair point, it contains a bit of unsafe code. I hope this can be improved by using a safe abstraction like |
@vks Nice project! I tried to read up a bit on the design of this RNG, but I am not there yet 😄. Is my understanding right? The basic idea is that common RNGs for cryptography keep some of their generated values in memory, and this memory can be leaked (swapping to disk, inspecting process memory, etc.). I sure think it is neat. It may be good to wait a while before really using it to give it time to prove itself. And also good to take lessons from. One thing I had planned for the But I see no reason why this RNG has to be in Rand, at least not right now. We are moving towards no, or as few as possible, RNG implementations, not many. |
This is certainly not something for the near future (the algorithm, the implementation and SIMD in Rust are quite immature). I was just wondering whether it might be a better default in the long run, and the point of this issue is to discuss the pros and cons.
Yes, I think it is. |
Renamed the issue from "Faster RNG for filling buffers" to "Key erasure AES variant", as this is more about a new CSPRNG than about filling buffers. |
This article offers an improvement over using AES in counter mode, in that it offers backtracking resistance at lower cost or a better API. If at some point the internal state of the common variant is exposed, all previously generated values can be recovered. The NIST document has some requirements that the common variant should overwrite its state when the user is 'done with it', but that is not easy for an API. This variant will, after generating a buffer with a couple of blocks of values, also use one block to generate a new internal state (or seed). This overwrites the old key, making it impossible to recover previous rounds. |
Another fast backtracking-resistant RNG: https://github.com/google/randen |
Note that Randen provides a Rust implementation in the official repository. |
The Randen paper has been published: https://arxiv.org/abs/1810.02227 |
We shouldn't forget about Randen as a possible alternative to ChaCha; it is fast, fairly simple code and has backtracking resistance. Right now I see two issues:
This would provide an alternative to #872, for some platforms. |
I ported an implementation of a fast-key-erasure RNG suggested by djb to Rust: https://github.com/vks/aesrng
It is about two times faster than non-SIMD xoroshiro when generating 100 MiB of random data. Only
fill_bytes
is implemented for now.Once
stdsimd
is stabilized, this might be of interest for Rand.The text was updated successfully, but these errors were encountered: