On Fri, 2020-02-07 at 01:05 -0800, Kees Cook wrote: > On Fri, Feb 07, 2020 at 08:23:53AM +0100, Jean-Philippe Aumasson > wrote: > > On Thu, Feb 6, 2020 at 4:10 PM Jason A. Donenfeld <Jason@xxxxxxxxx> > > wrote: > > > > > Hey Kees, > > > > > > On Wed, Feb 05, 2020 at 02:39:43PM -0800, Kristen Carlson Accardi > > > wrote: > > > > +#define rot(x, k) (((x)<<(k))|((x)>>(64-(k)))) > > > > +static u64 prng_u64(struct prng_state *x) > > > > +{ > > > > + u64 e; > > > > + > > > > + e = x->a - rot(x->b, 7); > > > > + x->a = x->b ^ rot(x->c, 13); > > > > + x->b = x->c + rot(x->d, 37); > > > > + x->c = x->d + e; > > > > + x->d = e + x->a; > > > > + > > > > + return x->d; > > > > +} > > > > > > I haven't looked closely at where the original entropy sources > > > are > > > coming from and how all this works, but on first glance, this > > > prng > > > doesn't look like an especially cryptographically secure one. I > > > realize > > > that isn't necessarily your intention (you're focused on speed), > > > but > > > actually might this be sort of important? If I understand > > > correctly, the > > > objective of this patch set is so that leaking the address of one > > > function doesn't leak the address of all other functions, as is > > > the case > > > with fixed-offset kaslr. But if you leak the addresses of _some_ > > > set of > > > functions, and your prng is bogus, might it be possible to figure > > > out > > > the rest? For some prngs, if you give me the output stream of a > > > few > > > numbers, I can predict the rest. For others, it's not this > > > straight > > > forward, but there are some varieties of similar attacks. If any > > > of that > > > set of concerns turns out to apply to your prng_u64 here, would > > > that > > > undermine kaslr in similar ways as the current fixed-offset > > > variety? Or > > > does it not matter because it's some kind of blinded fixed-size > > > shuffle > > > with complex reasoning that makes this not a problem? > > > > Let me share my 2 cents: > > > > That permutation might be safe but afaict it hasn't been analyzed > > wrt > > modern cryptographic techniques and there might well be > > differential > > characteristics, statistical biases, etc. > > > > What about just using SipHash's permutation, already in the kernel? > > It > > works on 4*u64 words too, and 6 rounds would be enough. > > > > Doing a basic ops count, we currently have 5 group operations and 3 > > rotations per round or 150 and 90 for the 30 init rounds. With > > SipHash it'd > > be 48 and 36 with the proposed 6 rounds. Probably insignificant > > speed wise > > as init is only done once but just to show that we'd get both > > better > > security assurance and better performance. > > Yeah, this was never meant to be anything but a POC and after timing > tests, it seemed like an unneeded abstraction but was kept for this > RFC so it was possible to specify a stable seed at boot for > debugging, > etc. I think this patch will not survive to v1. :) That's right, I'm going to drop it and go with the ChaCha20 implementation as was suggested.