Sandy Harris <sandyinchina@xxxxxxxxx> wrote: > The basic ideas here look good to me; I will look at details later. Looking now, finding some things questionable. Your doc has: " /dev/random needs to be fast, and in the past it relied on using a cryptographic primitive for expansion of PNRG to fill a given request " urandom on the other hand uses a cryptographic primitive to compact rather than expand, This does not seem coherent to me & as far as I can tell, it is wrong as well. /dev/random neither uses a PRNG nor does expansion. /dev/urandom does both, but you seem to be saying the opposite. " We can assume AES preserves confidentiality... That is a reasonable assumption & it does make the design easier, but is it necessary? If I understood some of Ted's writing correctly, one of his design goals was not to have to trust the crypto too much. It seems to me that is a worthy goal. One of John Denker's papers has some quite nice stuff about using a hash function to compress input data while preserving entropy. It needs only quite weak assumptions about the hash. https://www.av8n.com/turbid/ You want to use AES in OFB mode. Why? The existing driver uses ChaCha, I think mainly because it is faster. The classic analysis of how to use a block cipher to build a hash is Preneel et al. https://link.springer.com/content/pdf/10.1007%2F3-540-48329-2_31.pdf As I recall, it examines 64 possibilities & finds only 9 are secure. I do not know if OFB, used as you propose, is one of those. Do you?
