> On Fri, Apr 26, 2019 at 11:33:09AM +0000, Reshetova, Elena wrote: > > Adding Eric and Herbert to continue discussion for the chacha part. > > So, as a short summary I am trying to find out a fast (fast enough to be > > used per > syscall > > invocation) source of random bits with good enough security properties. > > I started to look into chacha kernel implementation and while it seems that > > it is > designed to > > work with any number of rounds, it does not expose less than 12 rounds > > primitive. > > I guess this is done for security sake, since 12 is probably the lowest > > bound we > want people > > to use for the purpose of encryption/decryption, but if we are to build an > > efficient > RNG, > > chacha8 probably is a good tradeoff between security and speed. > > > > What are people's opinions/perceptions on this? Has it been considered > > before to > create a > > kernel RNG based on chacha? > > Well, sure. The get_random_bytes() kernel interface and the > getrandom(2) system call uses a CRNG based on chacha20. See > extract_crng() and crng_reseed() in drivers/char/random.c.
Oh, indeed, I missed this link fully when was trying to trace chacha usages in kernel. I am not familiar with crypto kernel API and looks like my source code cross referencing failed here miserably. Only question left is how fast/slow is this... Best Regards, Elena.
