On Sun, Jun 26, 2016 at 08:47:53PM +0200, Pavel Machek wrote: > > You are basically trying to turn CRNG into one way hash function here, > right? Do you have any explanation that it has the required > properties? Well, not really. A CRNG has the property that if you generate a series of outputs: O_N-1, O_N, O_N+1, etc., knowledge of O_N does not give you any special knowledge with respect to O_N+1 or O_N-1. The anti-backtracking protection means that when we generate O_N, we use O_N+1 to mutate the state used for the CRNG; specifically, we are XOR'ing O_N+1 into the state. Now let's suppose that state gets exposed. Even if you know O_N, that's not going to let you know O_N+1, so knowledge of the exposed state post XOR with O_N+1 isn't going to help you get back the original state. More generally, if we assume ChaCha20 is secure, that means that you can't derive the key even if you have known plaintext. The output of the CRNG is basically the keystream --- what you have after you XOR the ciphertext with the plaintext. If ChaCha20 is secure, knowledge of large portions of the keystream should not help you determine the key, which means is why knowledge of O_N-1, O_N, won't help you derive either (a) the state of CRNG, aka the ChaCha20 key, or (b) O_N+1. Cheers, - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html