Am Wed, May 04, 2022 at 01:16:44PM +0200 schrieb Jason A. Donenfeld: > Before, the first 64 bytes of input, regardless of how entropic it was, > would be used to mutate the crng base key directly, and none of those > bytes would be credited as having entropy. Then 256 bits of credited > input would be accumulated, and only then would the rng transition from > the earlier "fast init" phase into being actually initialized. > > The thinking was that by mixing and matching fast init and real init, an > attacker who compromised the fast init state, considered easy to do > given how little entropy might be in those first 64 bytes, would then be > able to bruteforce bits from the actual initialization. By keeping these > separate, bruteforcing became impossible. > > However, by not crediting potentially creditable bits from those first 64 > bytes of input, we delay initialization, and actually make the problem > worse, because it means the user is drawing worse random numbers for a > longer period of time. > > Instead, we can take the first 128 bits as fast init, and allow them to > be credited, and then hold off on the next 128 bits until they've > accumulated. This is still a wide enough margin to prevent bruteforcing > the rng state, while still initializing much faster. > > Then, rather than trying to piecemeal inject into the base crng key at > various points, instead just extract from the pool when we need it, for > the crng_init==0 phase. Performance may even be better for the various > inputs here, since there are likely more calls to mix_pool_bytes() then > there are to get_random_bytes() during this phase of system execution. Have you evaluated this closer, also for systems where it takes ages to reach crng_init = 1? And might it make sense to only call extract_entropy() if there has been new input between two calls to get_random_bytes()? Thanks, Dominik
