-
Notifications
You must be signed in to change notification settings - Fork 430
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ChaCha construction and rounds #349
Comments
Isn't |
Yes, ChaChaRng was restricted to 20 rounds but @pitdicker changed it to be adjustable. It seemed like a good idea, but maybe it's not, I don't know... exploiting it would require finding a way to reduce the rounds to the minimum (which is 8), then cracking ChaCha8 (which as far as I know is still a very hard/impossible problem). |
I think that is a good takeaway from this. But I believe we can't? I can't care all that strongly though. The marker trait has uses, but it is no promise the RNG is secure. There are all kinds of ways a user can mess up, for example during initialization. Setting the number of rounds to something too low is just one of the problems. |
The trend has been towards crypto libraries that are as hard as possible to use incorrectly by minimizing parameters adjustable by the user (see for example libsodium and ring). Aren't we deprecating |
That is a good point. But as I see it Rand is not a crypto library, and ChaCha has valid uses outside of cryptography. With a reduced number of rounds it is no longer suitable for cryptography-related things, but it is still a very good and reasonably fast RNG. Who is to say that is not a valid use case? Why would you say we are deprecating |
I wonder myself if it makes more sense to have separate |
I thought it is superseded by HC128 and will be removed in the long term, but maybe I'm mistaken.
I would prefer to expose this functionality in a separate crate.
If we are taking this point of view, I think we should not advertise any of our RNGs as "cryptographically secure". We might want to consider moving our crypto RNGs to RustCrypto/CSRNGs. |
I think separate round count types makes sense. I disagree that HC128 supersucceeds ChaCha for all CSPRNG applications. As minimum, initializing HC128 has a slow startup when you start with a good randomness, fork CSPRNGs lots, and only needs a small amount of output for each one. In fact, I think quite the opposite that CSPRNGs should be easy to use in standards compliant ways, which requires some diversity. |
Yes. HC-128 is really different, and both have there uses. Is there something here we want to change before 0.5? Maybe hide the |
Yes, hiding There is an option for setting rounds at construction-time only with |
Is there much usage of ChaCha8 or ChaCha12? Not that I can find... Are they secure? There's a 2008 paper that documents an "attack" (but not a practical one) against Salsa20/8 and ChaCha7. It mentions:
Apparently 15 rounds of Salsa20 is 128-bit secure. It therefore appears that ChaCha8 and ChaCha12 fall into a "grey zone" of having no known practical attacks but without a high confidence of security, similar to the ISAAC RNGs. So is there any point at all in exposing these reduced-round variants? HC128 appears a better choice for both performance and apparent security. (If anyone specifically wants the reduced-round variants, speak up, but it sounds like we have no use for them.) |
I'd leave them out for now, mostly because we added |
I see ChaCha with fewer rounds as a valid use. It is not suitable as a CSPRNG. But it has good statistical quality even with only 3 rounds. It uses relatively little memory, and has reasonable performance that can be combined with SIMD. So one group would dismiss it, for another it can be useful. An alternative idea: What about removing |
Sure. Is |
https://github.com/rust-lang-nursery/rand/pull/374/files changed In my opinion our implementation is in a pretty good state now, feature-wise. Using ChaCha with fewer rounds or different constructors seems like something niche enough to me to be something in a crate outside Rand. I think this issue can be closed? |
This is about two things;
set_rounds
and a new constructor; quotes from reddit:I wonder if we should support
CryptoRng
only for ChaCha20 and maybe ChaCha12?The text was updated successfully, but these errors were encountered: