On Fri, Apr 25, 2014 at 01:53:13PM +0000, paul_kon...@dell.com wrote: > > Yes, the discussion is about an RNG that is weaker than the existing > strong RNG. How much weaker is not clear.
There's not a single answer, because the CTR_DRBG is designed to resist attacks that really don't seem relevant here. It's not a simple question of whether one cipher is stronger than other. Even if you compare the core transforms (AES-128 in the case of the CTR_DRBG vs ChaCha8) it's not at all clear that ChaCha8 is any weaker. There is not any currently known attack on 8 rounds of ChaCha that is better than brute force on its 256-bit key. AES-128 is, at best, 128 bits strong. > that I can?t tell whether it is stronger than the minimum required, or > weaker than that. At present, if we are talking simply about the strength of the cipher itself (rather than about properties such as backtracking resistance) there's no attack better than brute-forcing the 256 bit key. It seems to me that is probably good enough. Thor