| > Developers have decided to conflate actual entropy with "hard to compute," which is simply not true. True, they are different, but there is no meaningful distinction between a value that is "truly random" and a value that can be computed with a computer larger than the universe. > eventually, like all crypto, the method will break It's disheartening to see this claim being made by someone who regularly works on crypto code. When it comes to symmetric encryption, the war between cryptographers and cryptanalysts is over -- and the cryptographers have won. The security margin provided by modern ciphers like ChaCha20 is so high, and attacks on them so pitiful, that there are now calls for reducing the strength of ciphers in order to increase performance without sacrificing a meaningful amount of security: https://eprint.iacr.org/2019/1492 ChaCha20 will not be broken in our lifetime; probably it will never be broken, in the sense that an attacker will be able to observe any subset of the keystream and predict the next block (which is what we need from a CSPRNG). Anyway, given these premises (which AFAIK we both agree on): 1) There is no "one-size-fits-all" RNG
2) Using a PRNG instead of a CSPRNG may lead to security vulnerabilities
3) Using a CSPRNG instead of a PRNG may lead to performance degradation
Which type of RNG should be the default (e.g. the one you get if you type 'import rng'), and which type should the programmer have to ask for specifically? That's the question at hand here. |
Sloppy thinking and conflating different ideas are not a good way to think about computer security.
>ChaCha20 will not be broken in our lifetime; probably it will never be broken
As was said of the zillion currently broken cryptosystems, hashes, and all manner of security schemes......
> the cryptographers have won.
Is this why NIST routinely is asking for better crypto systems? Because crypto is solved?
> there are now calls for reducing the strength https://eprint.iacr.org/2019/1492
Yet followup papers often invent new methods of attack https://eprint.iacr.org/2022/695. It's almost as if theoretical advances can change the unproven-yet-assumed strength of previous methods.
>Which type of RNG should be the default (e.g. the one you get if you type 'import rng')
I already demonstrated that answer is PRNG for pretty much all widely use languages, which I agree with. There's simply no CSPRNG possible that ports over the widespread systems these languages are used for, so it's silly to continue to argue that they should default to a CSPRNG. CSPRNGs are not used by default, have never been, there is no trend to move that way I can find, all for the reasons I gave my very first reply in this thread.