search

rust-random / book

The Rust Rand Book
Other
49 stars 19 forks source link

Claim about obsolescence of non-crypto PRNGs #20

Closed vigna closed 4 years ago

vigna commented 4 years ago

In the book, there's the statement "since we now have fast cryptographic generators, some people argue that the non-cryptographic ones are now obsolete".

I think this should at least be circumstantiated carefully. Like, restricting the statement to programming languages in the large on significantly powerful hardware.

If you're programming a small embedded system with multiple threads, you cannot certainly spend hundreds of bits for a CSPRNG, and not even the electricity for generating data: we tend to overlook these problems, but not every computation needing randomness happens in a large box with an unlimited supply of electrical power. The same holds for embedded microprocessors. And if you're running in a language like go in which you can have hundred of thousands of lightweight threads, you don't wanna pollute your cache with millions of bits from PRNGs.

I agree that in a large number of situations today you can go for crypto—as I state in my page on PRNGs, with dedicated hardware and a bit of vectorization you can stream AES in about 1.2ns/64bit, which is more than faste enough for every application. But, with dedicated hardware and unlimited power.

If you consider randen, Google's crypto super-fast generator, with full hardware support it is still 10 times slower, say, than a vectorized xoshiro256++. I think the gap is too large to claim that standard PRNGs are of no use.

dhardy commented 4 years ago

Full quote, which certainly does not state that "standard PRNGs are of no use":

The goal of regular, non-cryptographic PRNGs is usually to find a good balance between simplicity, quality, memory usage and performance. Non-cryptographic generators pre-date cryptographic ones and since we now have fast cryptographic generators, some people argue that the non-cryptographic ones are now obsolete. They can however have some advantages: small state size, fast initialisation and simplicity (though this is not true of all non-crypto PRNGs; e.g. the Mersenne Twister has a large state despite being easy to predict).

The bit about embedded CPUs without hardware AES is a decent point, but note that Google now provides support for full-disk encryption via ChaCha12 (see this article), so even without hardware support fast crypto generators are available.

vigna commented 4 years ago

Are you really claiming that "are now obsolete" is completely different from "are of no use"?

I think I'm withdrawing all my comments. Go ahead. 😂

dhardy commented 4 years ago

No?

I think it's valid to make a statement like "some people argue that ... are now obsolete, however ..."?