On 2020-08-07 10:43 a.m., Willy Tarreau wrote:
Which means that it's 2^32 effort to brute force this (which Amit called "no
biggie for modern machines"). If the noise is the raw sample data with only
a few bits of entropy, then it's even easier to brute force.
Don't you forget to multiply by another 2^32 for X being folded onto itself ?
Because you have 2^32 possible values of X which will give you a single 32-bit
output value for a given noise value.
If I can figure the state out once, then the only new input is the
noise, so that's the only part I have to brute force. Throwing the noise
in makes it more difficult to get that state once, but once I have it
then this type of reseeding doesn't help.
Is there a hard instruction budget for this, or it is
just "fast enough to not hurt the network benchmarks" (i.e. if Dave Miller
screams)?
It's not just Davem. I too am concerned about wasting CPU cycles in fast
path especially in the network code. A few half-percent gains are hardly
won once in a while in this area and in some infrastructures they matter.
Not much but they do.
That's why I was asking. I don't have the same experience as you for
what acceptable is. I think it might be possible to do a decent CPRNG
(that's at least had some cryptanalys of it) with ~20 instructions per
word, but if that's not fast enough then I'll think about other options.
Marc
