diff options
author | Jack Lloyd <[email protected]> | 2017-07-31 15:12:39 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-07-31 16:45:30 -0400 |
commit | e22c52e46f1c8b27e4fad7cb8e87ca62a2a1cb3d (patch) | |
tree | 7b4b55e573a6b7c84304844fd23689ac487f2e41 /doc/manual/rng.rst | |
parent | ce2deaef167fbd2073959488880b932efaf024d9 (diff) |
Add ChaCha_RNG
Diffstat (limited to 'doc/manual/rng.rst')
-rw-r--r-- | doc/manual/rng.rst | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/manual/rng.rst b/doc/manual/rng.rst index 7d586e743..592f319fa 100644 --- a/doc/manual/rng.rst +++ b/doc/manual/rng.rst @@ -78,6 +78,19 @@ initial seed is generated either by the system PRNG (if available) or a default set of entropy sources. These are also used for periodic reseeding of the RNG state. +ChaCha_RNG +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This is a very fast userspace PRNG based on ChaCha20 and HMAC(SHA-256). The key +for ChaCha is derived by hashing entropy inputs with HMAC. Then the ChaCha +keystream generator is run, first to generate the new HMAC key (used for any +future entropy additions), then the desired RNG outputs. + +This RNG composes two primitives thought to be secure (ChaCha and HMAC) in a +simple and well studied way (the extract-then-expand paradigm), but is still an +ad-hoc and non-standard construction. It is included because it is roughly 20x +faster then HMAC_DRBG, and certain applications need access to a very fast RNG. + TPM_RNG ^^^^^^^^^^^^^^^^^ |