On Sun, May 29, 2016 at 09:51:59PM +0200, Stephan Mueller wrote: > > I personally am not sure that taking some arbitrary cipher and turning it into > a DRNG by simply using a self-feeding loop based on the ideas of X9.31 > Appendix A2.4 is good. Chacha20 is a good cipher, but is it equally good for a > DRNG? I do not know. There are too little assessments from mathematicians out > there regarding that topic. If ChCha20 is a good (stream) cipher, it must be a good DRNG by definition. In other words, if you can predict the output of ChaCha20-base DRNG with any accuracy greater than chance, this can be used as a wedge to attack the stream cipher.. I will note that OpenBSD's "ARC4" random number generator is currently using ChaCha20, BTW. Regards, - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html