On Wed, Nov 21, 2018 at 11:45 PM Chet Ramey <chet.ra...@case.edu> wrote: > On 11/21/18 3:07 PM, Ole Tange wrote: > > 'brand' in variables.c is comparable in size to ChaCha20 and ChaCha20 > > is not completely broken: > > https://en.wikipedia.org/wiki/Salsa20 > > > > Could we please replace 'brand' with ChaCha20? > > What is your application that you need something more complicated than > the existing PRNG?
I do not have that currently, but it seems like a fairly small change and it seems odd to have modern software not use modern algorithms. Git's use of SHA1 seems to be a prime example of what can go wrong: https://shattered.io/ If you look at the code it is really not much bigger: #define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) #define QR(a, b, c, d) ( \ a += b, d ^= a, d = ROTL(d,16), \ c += d, b ^= c, b = ROTL(b,12), \ a += b, d ^= a, d = ROTL(d, 8), \ c += d, b ^= c, b = ROTL(b, 7)) #define ROUNDS 20 void chacha_block(uint32_t out[16], uint32_t const in[16]) { int i; uint32_t x[16]; for (i = 0; i < 16; ++i) x[i] = in[i]; // 10 loops × 2 rounds/loop = 20 rounds for (i = 0; i < ROUNDS; i += 2) { // Odd round QR(x[0], x[4], x[ 8], x[12]); // column 0 QR(x[1], x[5], x[ 9], x[13]); // column 1 QR(x[2], x[6], x[10], x[14]); // column 2 QR(x[3], x[7], x[11], x[15]); // column 3 // Even round QR(x[0], x[5], x[10], x[15]); // diagonal 1 (main diagonal) QR(x[1], x[6], x[11], x[12]); // diagonal 2 QR(x[2], x[7], x[ 8], x[13]); // diagonal 3 QR(x[3], x[4], x[ 9], x[14]); // diagonal 4 } for (i = 0; i < 16; ++i) out[i] = x[i] + in[i]; } Can you elaborate on why you think it is a bad idea to change an insecure PRNG into a non-broken one? /Ole
