search

rust-random / rngs

Extra RNGs
Other
41 stars 27 forks source link

Clarification needed on rand_hc implementation of HC-128 #55

Open m0xsec opened 4 months ago

m0xsec commented 4 months ago

Background:

The latest version of the docs indicate the following:

This implementation is not based on the version of HC-128 submitted to the eSTREAM contest, but on a later version by the author with a few small improvements from December 15, 20094.

The footnote in the docs link to this reference that no longer exists - https://www.ntu.edu.sg/home/wuhj/research/hc/index.html

However, using the Internet Archive, we can see the page, with the last modified date of December 15, 2009 - https://web.archive.org/web/20110527154230/https://www.ntu.edu.sg/home/wuhj/research/hc/index.html

This webpage is general and does not directly outline said "small improvements" by the author of HC-128.

Concern:

The current docs do not transparently reflect which version of HC-128 is implemented in rand_rc. The Rust Random book specifically mentions that HC-128 is recommended by eSTREAM, though this crate is using an implementation that is NOT recommended by eSTREAM.

This creates a false sense of security for those who may be relying on the guarantees and analysis that the eSTREAM project provided. eSTREAM did not provide analysis/review/approval/recommendation of the "small improvements" version that is vaguely referenced in the docs for rand_rc.

Because of this, the docs need to better reflect which implementation is being used and MUST be very clear that the recommendation by eSTREAM is misleading. I do not believe that the cryptanalysis of HC-128 as it relates to eSTREAM can be assumed to be valid for this optimized version with "small improvements".

vks commented 4 months ago

I think we can just remove HC-128 from the table, we are not using or recommending it anymore.

m0xsec commented 4 months ago

I think we can just remove HC-128 from the table, we are not using or recommending it anymore.

Would this change just apply to the docs or are you suggesting removing HC-128 / the rand_rc codebase as well? Also, I am curious why its not being recommended anymore - any info you can point me to regarding that change?

dhardy commented 4 months ago

Only that we no longer use it as StdRng, so no longer need it in that sense.

I haven't looked into this in a long while, but it may be useful to continue maintaining this? That said, assistance with maintainance is always appreciated.

m0xsec commented 4 months ago

I would advocate for maintaining HC-128 as I believe it is still relevant. I do think this requires a review of the documentation and the implementation so it is clear what version of HC-128 is being provided. I can take a stab at trying to piece that together if it isn't readily available given how long its been.

dhardy commented 4 months ago

I can take a stab at trying to piece that together if it isn't readily available given how long its been.

Please do!