On 2020-08-07 12:03 a.m., Willy Tarreau wrote:
Just to give a heads up on this, here's what I'm having pending regarding MSWS:
struct rnd_state { uint64_t x, w; uint64_t seed; uint64_t noise; };
uint32_t msws32(struct rnd_state *state) { uint64_t x;
x = state->w += state->seed; x += state->x * state->x; x = state->x = (x >> 32) | (x << 32); x -= state->noise++; return x ^ (x >> 32);}
A few comments:
This is still another non-cryptographic PRNG. An LFSR can pass PractRand (if you do a tweak to get around the specific linear complexity test for LFSRs).
On a 64-bit machine it should be fast: 4 adds, 1 multiply, 1 rotate, 1 shift, 1 xor
This will be much slower on 32-bit machines, if that's still a concern
As long as the noise is the output of a CPRNG, this doesn't hurt the security of dev/dandom.
The noise is more like effective 32-bits since you're xoring the low and high half of the noise together (ignoring the minor details of carry bits). Which means that it's 2^32 effort to brute force this (which Amit called "no biggie for modern machines"). If the noise is the raw sample data with only a few bits of entropy, then it's even easier to brute force.
Given the uses of this, I think we really should look into a CPRNG for this and then completely reseed it periodically. The problem is finding one that's fast enough. Is there a hard instruction budget for this, or it is just "fast enough to not hurt the network benchmarks" (i.e. if Dave Miller screams)?
Marc