Re: [PATCH] crypto: drbg - Remove support for "prediction resistance"

[Herbert Xu]

On Tue, May 05, 2026 at 05:02:58PM -0700, Eric Biggers wrote:
> "Prediction resistance", i.e. the property that the RNG's output is
> unpredictable even after a state compromise, might sound like a nice
> property to have.  In reality, it's not very practical, as it requires
> that fresh entropy be pulled on every request.  (The normal Linux RNG
> doesn't provide prediction resistance.)  In the case of drbg.c, that
> means pulling from "jitterentropy", which is extremely slow.
> 
> For some perspective, running a simple benchmark, generating 32 random
> bytes takes the following amount of time:
> 
>     get_random_bytes(): 90 ns
>     drbg_nopr_hmac_sha512: 3707 ns
>     drbg_pr_hmac_sha512: 773082 ns
> 
> So at least in this case, the "pr" (prediction-resistant) DRBG is over
> 200 times slower than the "nopr" (non-prediction-resistant) DRBG, or
> over 8000 times slower than the normal Linux RNG.  While anyone using
> drbg.c has always had to tolerate that it's slower than the normal Linux
> RNG, the "pr" DRBG is clearly at another level of slowness.
> 
> Thus, the following is also entirely unsurprising:
> 
>   - FIPS 140-3 doesn't actually require that SP800-90A DRBG
>     implementations support prediction resistance.  The non-prediction
>     resistant DRBGs can be, and have been, certified.
> 
>   - drbg.c registers "drbg_nopr_hmac_sha512" with a higher cra_priority
>     than "drbg_pr_hmac_sha512".  So "drbg_nopr_hmac_sha512" is already
>     the one actually being used in practice.
> 
> Given these considerations, it's clear that "drbg_pr_hmac_sha512" isn't
> actually useful, and it essentially just existed as another curiosity in
> the museum of crypto algorithms.  Remove it to simplify the code.
> 
> Suggested-by: Joachim Vandersmissen <joachim@xxxxxxxxx>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
>  crypto/drbg.c    |  82 ++++++-------------
>  crypto/testmgr.c |  21 +----
>  crypto/testmgr.h | 202 -----------------------------------------------
>  3 files changed, 27 insertions(+), 278 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt