Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rand #263

Closed
wants to merge 1 commit into from
Closed

Update rand #263

wants to merge 1 commit into from

Conversation

vks
Copy link

@vks vks commented Jul 12, 2019

No description provided.

@hdevalence
Copy link
Contributor

Because the rand crate is part of our public API, and 0.6 -> 0.7 is a breaking change, we can't make this update without releasing a new major version of curve25519-dalek, and we have no plans to do that in the short- to medium- term (say, the next 6 months).

When we eventually release a 2.0.0 version of curve25519-dalek, we will consider changing the version of the rand crate we use, but for now we're sticking with the version we have.

@hdevalence hdevalence closed this Jul 12, 2019
This was referenced Jul 12, 2019
Closed
Closed
@hdevalence
Copy link
Contributor

See also #262

@Silur
Copy link

Silur commented Jul 15, 2019

The reason why so many duplicates for this issue/pr exist is that since no cryptographic rust code exists without an explicit dependency to rand, your policy is literally forcing all users of the library to use an outdated version.

@vks
Copy link
Author

vks commented Jul 16, 2019

@hdevalence What is the motivation for supporting userspace CSPRNGs? You could get rid of the dependency on rand by using the getrandom crate directly, which is similar to what ring is doing.

@burdges
Copy link
Contributor

burdges commented Jul 16, 2019

Any more complex protocols to specify some test vectors by pulling randomness from some stream cipher like ChaCha with a specified seed, so getrandom should probably not be use directly by protocol crates.

@hdevalence
Copy link
Contributor

@vks There are lots of reasons to support userspace CSPRNGs, such as the reasons @burdges mentioned, or the reasons I described on this page.

The bigger design principle is separation of concerns (apparently not a design principle for Ring, in this and other ways). The functionality of an elliptic curve library should be focused on elliptic curve operations, not on providing an RNG. These are orthogonal problems and they should be implemented orthogonally, which is why this API is designed to accept an arbitrary RNG implementation.

@Silur Thanks for the input, but nobody is "literally forcing" anybody to do anything.

@burdges
Copy link
Contributor

burdges commented Jul 27, 2019

If I understand, rand_core 0.4 to 0.5 aka rand 0.6 to 0.7 occurred largely due to adding SeedableRng::from_entropy, which calls getrandom directly. You could not simply let OsRng be a wrapper around getrandom and use SeedableRng::from_rng(OsRng)? Ok well..

@burdges
Copy link
Contributor

burdges commented Jul 29, 2019

I think rand_core v0.5 looks like nonsense rust-random/rand#854 so yeah maybe everyone should skip rand 0.7 until this gets sorted out.

@burdges
Copy link
Contributor

burdges commented Jul 29, 2019

I've no clue about rand 0.6 -> 0.7 but at least rand_core 0.4 -> 0.5 adding SeedableRng::from_entropy should probably not be considered a breaking change. I suppose this crate depends upon rand not rand_core though. Ugh.

@burdges burdges mentioned this pull request Aug 11, 2019
Open
@Silur Silur mentioned this pull request Sep 6, 2019
Closed
pinkforest added a commit to pinkforest/curve25519-dalek that referenced this pull request Jun 27, 2023
@pinkforest
Make zeroize optional (dalek-cryptography#263)
4f6b4b2 
Defaults to on
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vks @hdevalence @Silur @burdges