On Sun, Mar 29, 2020 at 05:41:22PM +0000, George Spelvin wrote: > > Using xor was particularly stupid. > > The whole generator was then linear and trivially reversable. > > Just using addition would have made it much stronger. > > I considered changing it to addition (actually, add pairs and XOR the > sums), but that would break its self-test. And once I'd done that, > there are much better possibilities. > > Actually, addition doesn't make it *much* stronger. To start > with, addition and xor are the same thing at the lsbit, so > observing 113 lsbits gives you a linear decoding problem. David, If anyone is trying to rely on prandom_u32() as being "strong" in any sense of the word in terms of being reversable by attacker --- they shouldn't be using prandom_u32(). That's going to be true no matter *what* algorithm we use. Better distribution? Sure. Making prandom_u32() faster? Absolutely; that's its primary Raison d'Etre. George, Did you send the full set of patches to a single mailing list? Or can you make it available on a git tree somewhere? I've y seen this message plus the ext4 related change, and I can't find the full patch series anywhere. If you can send the next version such that it's fully cc'ed to linux-kernel, that would be really helpful. Thanks!! - Ted
