about summary refs log tree commit diff
path: root/absl/random/internal/randen_traits.h
diff options
context:
space:
mode:
Diffstat (limited to 'absl/random/internal/randen_traits.h')
-rw-r--r--absl/random/internal/randen_traits.h31
1 files changed, 28 insertions, 3 deletions
diff --git a/absl/random/internal/randen_traits.h b/absl/random/internal/randen_traits.h
index 2b8bbe73830e..53caa936140a 100644
--- a/absl/random/internal/randen_traits.h
+++ b/absl/random/internal/randen_traits.h
@@ -32,6 +32,25 @@ namespace random_internal {
 // 'Strong' (well-distributed, unpredictable, backtracking-resistant) random
 // generator, faster in some benchmarks than std::mt19937_64 and pcg64_c32.
 //
+// High-level summary:
+// 1) Reverie (see "A Robust and Sponge-Like PRNG with Improved Efficiency") is
+//    a sponge-like random generator that requires a cryptographic permutation.
+//    It improves upon "Provably Robust Sponge-Based PRNGs and KDFs" by
+//    achieving backtracking resistance with only one Permute() per buffer.
+//
+// 2) "Simpira v2: A Family of Efficient Permutations Using the AES Round
+//    Function" constructs up to 1024-bit permutations using an improved
+//    Generalized Feistel network with 2-round AES-128 functions. This Feistel
+//    block shuffle achieves diffusion faster and is less vulnerable to
+//    sliced-biclique attacks than the Type-2 cyclic shuffle.
+//
+// 3) "Improving the Generalized Feistel" and "New criterion for diffusion
+//    property" extends the same kind of improved Feistel block shuffle to 16
+//    branches, which enables a 2048-bit permutation.
+//
+// Combine these three ideas and also change Simpira's subround keys from
+// structured/low-entropy counters to digits of Pi (or other random source).
+
 // RandenTraits contains the basic algorithm traits, such as the size of the
 // state, seed, sponge, etc.
 struct RandenTraits {
@@ -45,17 +64,23 @@ struct RandenTraits {
   // Size of the default seed consumed by the sponge.
   static constexpr size_t kSeedBytes = kStateBytes - kCapacityBytes;
 
+  // Assuming 128-bit blocks, the number of blocks in the state.
   // Largest size for which security proofs are known.
   static constexpr size_t kFeistelBlocks = 16;
 
-  // Type-2 generalized Feistel => one round function for every two blocks.
-  static constexpr size_t kFeistelFunctions = kFeistelBlocks / 2;  // = 8
-
   // Ensures SPRP security and two full subblock diffusions.
   // Must be > 4 * log2(kFeistelBlocks).
   static constexpr size_t kFeistelRounds = 16 + 1;
+
+  // Size of the key. A 128-bit key block is used for every-other
+  // feistel block (Type-2 generalized Feistel network) in each round.
+  static constexpr size_t kKeyBytes = 16 * kFeistelRounds * kFeistelBlocks / 2;
 };
 
+// Randen key arrays. In randen_round_keys.cc
+extern const unsigned char kRandenRoundKeys[RandenTraits::kKeyBytes];
+extern const unsigned char kRandenRoundKeysBE[RandenTraits::kKeyBytes];
+
 }  // namespace random_internal
 ABSL_NAMESPACE_END
 }  // namespace absl