On 2020-08-07 10:43 a.m., Willy Tarreau wrote:
Which means that it's 2^32 effort to brute force this (which Amit called "no biggie for modern machines"). If the noise is the raw sample data with only a few bits of entropy, then it's even easier to brute force.
Don't you forget to multiply by another 2^32 for X being folded onto itself ? Because you have 2^32 possible values of X which will give you a single 32-bit output value for a given noise value.
If I can figure the state out once, then the only new input is the noise, so that's the only part I have to brute force. Throwing the noise in makes it more difficult to get that state once, but once I have it then this type of reseeding doesn't help.
Is there a hard instruction budget for this, or it is just "fast enough to not hurt the network benchmarks" (i.e. if Dave Miller screams)?
It's not just Davem. I too am concerned about wasting CPU cycles in fast path especially in the network code. A few half-percent gains are hardly won once in a while in this area and in some infrastructures they matter. Not much but they do.
That's why I was asking. I don't have the same experience as you for what acceptable is. I think it might be possible to do a decent CPRNG (that's at least had some cryptanalys of it) with ~20 instructions per word, but if that's not fast enough then I'll think about other options.
Marc