Expand description
An implementation of the Fortuna CSPRNG
First create a FortunaRng
object using either the new_unseeded
constructor or SeedableRng::from_seed
. Additional entropy may be
added using the method add_random_event
, or the underlying RNG
maybe reseeded directly by SeedableRng::reseed
. Note that this is
not recommended, since the generator automatically reseeds itself
using the data provided by add_random_events
through an
accumulator. The accumulator is part of Fortuna’s design and using
SeedableRng::reseed
directly bypasses it.
Note that the underlying block cipher is AesSafe256Encryptor
which
is designed to be timing-attack resistant. The speed hit from this
is in line with a “safety first” API, but be aware of it.
Fortuna was originally described in Practical Cryptography, Niels Ferguson and Bruce Schneier. John Wiley & Sons, 2003.
Comments throughout this file contain references of the form (PC 1.2.3); these refer to sections within this text.
§A note on forking
Proper behaviour for a CSRNG on a process fork is to reseed itself with the timestamp and new process ID, to ensure that after forking the child process does not share the same RNG state (and therefore the same output) as its parent.
However, this appears not to be possible in Rust, due to https://github.com/rust-lang/rust/issues/16799 The reason is that Rust’s process management all happens through its stdlib runtime, which explicitly does not support forking, so it provides no mechanism with which to detect forks.
What this means is that if you are writing forking code (using #![no_std]
say) then you need to EXPLICITLY RESEED THE RNG AFTER FORKING.
Structs§
- The
Fortuna
CSPRNG (PC 9.5)
Constants§
- Length in bytes that the first pool must be before a “catastrophic reseed” is allowed to happen. (A direct reseed through the
SeedableRng
API is not affected by this limit.)