[Haskell-cafe] random library

Wed Oct 11 14:27:15 UTC 2017

Jonathan,

The full claim is:

> As of 1July2014 this remains the fastest cryptographic RNG on hackage that has been ran against known answer tests.

Many other packaged generators are off-the-cuff inventions of the
programmer - IIRC the two designs I saw most were 1. Pick a random IV
or counter, generate some data with a block cipher, repeat and 2. Just
run a stream cipher like AES-CTR (so, no forward secrecy).  The
developers are often people who's knowledge I have faith in but the
decision is too serious to make such designs lightly.

The only package I knew of at the time that tried to implement a
standard that included KATs (unit tests) was my DRBG package w/ tests
for the Hash generator and HMAC.  In this case, the Hash generator is
notably faster than HMAC.

As for the performance of this and other generators, I did some
benchmarking now 4 years ago:
http://tommd.github.io/posts/RNG-Bench.html   N.B. I intentionally did
not discuss security in that post.  Many people want a standard, some
just don't care about forward secrecy, others won't touch RDRAND with
a ten foot pole.  All fine, but too many dimensions for me to want to
talk about in a blog post.

Cheers,
Thomas

On Tue, Oct 10, 2017 at 8:46 PM,  <jpaugh at gmx.com> wrote:
> All,
>
> Interesting library! Here's a link:
> http://hackage.haskell.org/package/DRBG-0.5.5/docs/Crypto-Random-DRBG.html
>
> Thomas,
>
> In the linked docs, there's a claim that Hash DRBG is the fastest
> cryptographically secure RNG on Hackage. Do you have a link to the benchmark
> results, or perhaps some updated ones? Unlike Viktor, I'm interested in less
> secure applications, but if the performance is good, it might be worth
> switching from the defacto random package.
>
> Thanks,
> Jonathan
>
>
> On October 10, 2017 10:23:14 PM CDT, Thomas DuBuisson
> <thomas.dubuisson at gmail.com> wrote:
>>
>> The hash drbg from the drbg package should meet your needs. Deterministic,
>> pure Haskell except the actual hash function.
>>
>> On Oct 10, 2017 8:13 PM, "Viktor Dukhovni" <ietf-dane at dukhovni.org> wrote:
>>>
>>>
>>> > On Oct 10, 2017, at 8:48 PM, Kazu Yamamoto (山本和彦) <kazu at iij.ad.jp>
>>> > wrote:
>>> >
>>> > Before the release, I would like to replace the random package since
>>> > it is slow.  I'm looking for a random library which is
>>> > - fast
>>> > - thread-safe (good for concurrent use)
>>> >
>>> > Any recommendations?
>>>
>>> Just to make it more interesting, I should mention that the RNG
>>> should be not just statistically random, but should in fact be
>>> crypto random (resist predictability through cryptanalysis when
>>> properly seeded).
>>>
>>> So indeed there are two more issues here:
>>>
>>>  - Securely seeding the RNG (likely using the OS API for
>>>    random seeds, and/or the RDSEED/RDRAND instructions on
>>>    Intel CPUs), IIRC we can that from cryptonite, I hope
>>>    at a reasonable cost.
>>>
>>>  - Choosing a suitable DRBG based on the seed.  Likely again
>>>    something from cryptonite.
>>>
>>> Some time back I posted to the cryptography list about the
>>> soundness of relying on RDRAND in cryptonite's RNG (uses
>>> it instead of /dev/urandom and the like when available).
>>> The rough consensus IIRC was not rely solely on RDRAND.
>>> I never went back to write a PR to address that...
>>>
>>>
>>> http://www.metzdowd.com/pipermail/cryptography/2016-November/thread.html#30859
>>>
>>> --
>>>         Viktor.
>>>
>>> _______________________________________________
>>> Haskell-Cafe mailing list
>>> To (un)subscribe, modify options or view archives go to:
>>> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
>>> Only members subscribed via the mailman list are allowed to post.
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.