From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01224C433EF for ; Wed, 11 May 2022 20:46:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347882AbiEKUq6 (ORCPT ); Wed, 11 May 2022 16:46:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44790 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242188AbiEKUq4 (ORCPT ); Wed, 11 May 2022 16:46:56 -0400 Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A453C62A36; Wed, 11 May 2022 13:46:54 -0700 (PDT) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 771921C0B92; Wed, 11 May 2022 22:46:51 +0200 (CEST) Date: Wed, 11 May 2022 22:46:50 +0200 From: Pavel Machek To: Yevgeniy Dodis Cc: "Jason A. Donenfeld" , tytso , Nadia Heninger , Noah Stephens-Dawidowitz , Stefano Tessaro , torvalds@linux-foundation.org, "D. J. Bernstein" , jeanphilippe.aumasson@gmail.com, jann@thejh.net, keescook@chromium.org, gregkh@linuxfoundation.org, Peter Schwabe , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: is "premature next" a real world rng concern, or just an academic exercise? Message-ID: <20220511204650.GA21867@amd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > > > Thank you for starting this fascinating discussion. I generally agree w= ith everything Jason said. In particular, I am not > > 100% convinced that the extra cost of the premature next defense is jus= tified.(Although Windows and MacOS are adamant it is > > worth it :).) > > Dunno, how big is cost of "premature next" defenses? I believe all you need to do is to reseed in batches, and that does not seem costly at runtime, and does not have high cost in kernel .text. > > But let me give some meta points to at least convince you this is not a= s obvious as Jason makes it sound. > > > > 1) Attacking RNGs in any model is really hard. Heck, everybody knew for= years that /dev/random is a mess > > (and we published it formally in 2013, although this was folklore knowl= edge), but in all these years nobody > > (even Nadya's group :)) managed to find a practical attack. So just bec= ause the attack seems far-fetched, I do not think we should > > lower our standards and do ugly stuff. Otherwise, just leave > >/dev/random the way it was before Jason started his awesome work. Well, practical attacks may be hard, but when they happen... that's bad. We had weak keys generated by debian, we have various devices that with deterministic rngs... Best regards, Pavel --=20 People of Russia, stop Putin before his war on Ukraine escalates. --wac7ysb48OaltWcw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAmJ8ILoACgkQMOfwapXb+vIJQQCfaYW/xS5k3YJRX21AdHNuKQET 4BwAn2PC9gpPRB4lt75hyfJ9zYhxRi7S =QPXk -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--