Hi Ted, On Wed, Aug 05, 2020 at 11:34:32AM -0400, tytso@xxxxxxx wrote: > That being said, it certainly is a certificational / theoretical > weakness, and if the bright boys and girls at Fort Meade did figure > out a way to exploit this, they are very much unlikely to share it at > an open Crypto conference. So replacing LFSR-based PRnG with > something stronger which didn't release any bits from the fast_pool > would certainly be desireable, and I look forward to seeing what Willy > has in mind. I'll post a proposal patch shortly about this, hopefully this week-end (got diverted by work lately :-)). Just to give you a few pointers, it's a small modification of MSWS. It passes the Practrand test suite on 256 GB of data with zero warning (something that Tausworthe is supposed to fail at). By default, MSWS *does* leak its internal state, as Amit showed us (and seeing that the paper on it suggests it's safe as-is for crypto use is a bit shocking), but once slightly adjusted, it doesn't reveal its state anymore and that would constitute a much more future-proof solution for quite some time. Tausworthe was created something like 20 years ago or so, hence it's not surprizing that it's a bit dated by now, but if we can upgrade once every 2 decades I guess it's not that bad. Cheers, Willy
