[Cryptech Tech] fyi: pcg-random.org: A Family of Better Random Number Generator

[Bernd Paysan]

Am Mittwoch, 18. Februar 2015, 09:03:22 schrieb Joachim Strömbergson:
> Aloha!
> 
> Warren Kumari wrote:
> > I guess I'm easily amused, but I found the Party Tricks section
> > entertaining: http://www.pcg-random.org/party-tricks.html
> > 
> > This has sufficiently entertained me that I'll go read the paper...
> 
> Very cool party tricks.
> Their pros and cons of algorithms could be discussed though. I would say
> slighly biased towards their own algorithm. I'm also surprised they
> didn't include AES-CTR.
> 
> The notion that ChaCha20 would be slow is imho outright wrong. It is
> slower that some of the others, esp on non 64-bit machines. But you can
> still generate multiple GBps data with ChaCha20 on a modern machine
> which cannot be claimed to be slow.
> 
> Also, I would bet that Bernd would have loved to have the Keccak RNG
> construction in the comparison.

If they think ChaCha20 is too slow, Keccak RNG would be "too slow", too. 
According to that paper here, you can pass these typical tests with a reduced 
round count of 4 (instead of 24, Blake (ChaCha-based) with a round count of 2 
(instead of 14), and Skein with 9 instead of 72:

http://www.arpapress.com/Volumes/Vol15Issue2/IJRRAS_15_2_15.pdf

I.e. if you don't need a security margin, you can get a factor 6 to 8 more 
performance while still passing those typical PRNG tests, depending on which 
SHA-3 finalist you base your fast, not-very-secure PRNG on.

Keccak as PRNG in squeeze mode has a somewhat weird characteristic that 
there's a cyclic attractor with a period of ~2^(n/2) for n bits state (i.e. 
2^800), and that most randomly seeded starting points sooner or later 
(typically after 2^800 steps) get into that cycle.  This is weird for a PRNG, 
but expected for a random oracle, due to internal colission.

I like Keccak as secure PRNG, because

* you can reseed anytime you want, any amount of entropy you have (even small 
chunks), and reseeding does not throw away the old entropy
* When you squeeze, the entire internal state changes with each round, so side 
channel attacks are very likely to be unsuccessful
* Keccak as crypto primitive can be used for hashing and AEAD crypto, too.

You can use Keccak as PRNG in hash mode, hashing seed+counter.  That's a mode 
of operation like ChaCha.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*