mirror of
https://codeberg.org/ziglang/zig.git
synced 2025-12-06 13:54:21 +00:00
dff4bbfd24
These are great permutations, and there's nothing wrong with them from a practical security perspective. However, both were competing in the NIST lightweight crypto competition. Gimli didn't pass the 3rd selection round, and is not much used in the wild besides Zig and libhydrogen. It will never be standardized and is unlikely to get more traction in the future. Xoodyak, that Xoodoo is the permutation of, was a finalist. It has a lot of advantages and *might* be standardized without NIST. But this is too early to tell, and too risky to commit to it in a standard library. For lightweight crypto, Ascon is the one that we know NIST will standardize and that we can safely rely on from a usage perspective. Switch to a traditional ChaCha-based CSPRNG, with an Ascon-based one as an option for constrained systems. Add a RNG benchmark by the way. Gimli and Xoodoo served us well. Their code will be maintained, but outside the standard library.
60 lines
1.8 KiB
Zig
60 lines
1.8 KiB
Zig
//! CSPRNG based on the Reverie construction, a permutation-based PRNG
|
|
//! with forward security, instantiated with the Ascon(128,12,8) permutation.
|
|
//!
|
|
//! Compared to ChaCha, this PRNG is has a much smaller state, and can be
|
|
//! a better choice for constrained environments.
|
|
//!
|
|
//! References:
|
|
//! - A Robust and Sponge-Like PRNG with Improved Efficiency https://eprint.iacr.org/2016/886.pdf
|
|
//! - Ascon https://ascon.iaik.tugraz.at/files/asconv12-nist.pdf
|
|
|
|
const std = @import("std");
|
|
const min = std.math.min;
|
|
const mem = std.mem;
|
|
const Random = std.rand.Random;
|
|
const Self = @This();
|
|
|
|
const Ascon = std.crypto.core.Ascon(.Little);
|
|
|
|
state: Ascon,
|
|
|
|
const rate = 16;
|
|
pub const secret_seed_length = 32;
|
|
|
|
/// The seed must be uniform, secret and `secret_seed_length` bytes long.
|
|
pub fn init(secret_seed: [secret_seed_length]u8) Self {
|
|
var self = Self{ .state = Ascon.initXof() };
|
|
self.addEntropy(&secret_seed);
|
|
return self;
|
|
}
|
|
|
|
/// Inserts entropy to refresh the internal state.
|
|
pub fn addEntropy(self: *Self, bytes: []const u8) void {
|
|
comptime std.debug.assert(secret_seed_length % rate == 0);
|
|
var i: usize = 0;
|
|
while (i + rate < bytes.len) : (i += rate) {
|
|
self.state.addBytes(bytes[i..][0..rate]);
|
|
self.state.permuteR(8);
|
|
}
|
|
if (i != bytes.len) self.state.addBytes(bytes[i..]);
|
|
self.state.permute();
|
|
}
|
|
|
|
/// Returns a `std.rand.Random` structure backed by the current RNG.
|
|
pub fn random(self: *Self) Random {
|
|
return Random.init(self, fill);
|
|
}
|
|
|
|
/// Fills the buffer with random bytes.
|
|
pub fn fill(self: *Self, buf: []u8) void {
|
|
var i: usize = 0;
|
|
while (true) {
|
|
const left = buf.len - i;
|
|
const n = min(left, rate);
|
|
self.state.extractBytes(buf[i..][0..n]);
|
|
if (left == 0) break;
|
|
self.state.permuteR(8);
|
|
i += n;
|
|
}
|
|
self.state.permuteRatchet(6, rate);
|
|
}
|