Merge pull request #277 from pitdicker/switch_stdrng

dhardy · web-flow · commit 6c666be22933 · 2018-03-03T11:04:15.000Z
Switch StdRng and thread_rng to HC-128
diff --git a/src/lib.rs b/src/lib.rs
@@ -290,12 +290,6 @@ pub use error::{ErrorKind, Error};
 #[cfg(feature="std")] pub use entropy_rng::EntropyRng;
 #[cfg(feature="std")] pub use thread_rng::{ThreadRng, thread_rng, random};
 
-// local use declarations
-#[cfg(target_pointer_width = "32")]
-use prng::IsaacRng as IsaacWordRng;
-#[cfg(target_pointer_width = "64")]
-use prng::Isaac64Rng as IsaacWordRng;
-
 use distributions::{Distribution, Uniform, Range};
 use distributions::range::SampleRange;
 
@@ -1008,16 +1002,21 @@ impl<R: SeedableRng> NewRng for R {
     }
 }
 
-/// The standard RNG. This is designed to be efficient on the current
-/// platform.
+/// The standard RNG. The PRNG algorithm in `StdRng` is choosen to be efficient
+/// on the current platform, to be statistically strong and unpredictable
+/// (meaning a cryptographically secure PRNG).
+///
+/// The current algorithm used on all platforms is [HC-128].
+///
+/// Reproducibility of output from this generator is however not required, thus
+/// future library versions may use a different internal generator with
+/// different output. Further, this generator may not be portable and can
+/// produce different output depending on the architecture. If you require
+/// reproducible output, use a named RNG, for example `ChaChaRng`.
 ///
-/// Reproducibility of output from this generator is not required, thus future
-/// library versions may use a different internal generator with different
-/// output. Further, this generator may not be portable and can produce
-/// different output depending on the architecture. If you require reproducible
-/// output, use a named RNG, for example `ChaChaRng`.
+/// [HC-128]: struct.Hc128Rng.html
 #[derive(Clone, Debug)]
-pub struct StdRng(IsaacWordRng);
+pub struct StdRng(Hc128Rng);
 
 impl RngCore for StdRng {
     fn next_u32(&mut self) -> u32 {
@@ -1038,14 +1037,14 @@ impl RngCore for StdRng {
 }
 
 impl SeedableRng for StdRng {
-    type Seed = <IsaacWordRng as SeedableRng>::Seed;
+    type Seed = <Hc128Rng as SeedableRng>::Seed;
 
     fn from_seed(seed: Self::Seed) -> Self {
-        StdRng(IsaacWordRng::from_seed(seed))
+        StdRng(Hc128Rng::from_seed(seed))
     }
 
     fn from_rng<R: Rng>(rng: &mut R) -> Result<Self, Error> {
-        IsaacWordRng::from_rng(rng).map(|rng| StdRng(rng))
+        Hc128Rng::from_rng(rng).map(|rng| StdRng(rng))
     }
 }
 
@@ -1284,25 +1283,13 @@ mod test {
     }
 
     #[test]
-    #[cfg(target_pointer_width = "32")]
-    fn test_stdrng_construction() {
-        let seed = [1,0,0,0, 23,0,0,0, 200,1,0,0, 210,30,0,0,
-                    0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0];
-        let mut rng1 = StdRng::from_seed(seed);
-        assert_eq!(rng1.next_u32(), 2869442790);
-
-        let mut rng2 = StdRng::from_rng(&mut rng1).unwrap();
-        assert_eq!(rng2.next_u32(), 3094074039);
-    }
-    #[test]
-    #[cfg(target_pointer_width = "64")]
     fn test_stdrng_construction() {
         let seed = [1,0,0,0, 23,0,0,0, 200,1,0,0, 210,30,0,0,
                     0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0];
         let mut rng1 = StdRng::from_seed(seed);
-        assert_eq!(rng1.next_u64(), 14964555543728284049);
+        assert_eq!(rng1.next_u64(), 15759097995037006553);
 
         let mut rng2 = StdRng::from_rng(&mut rng1).unwrap();
-        assert_eq!(rng2.next_u64(), 919595328260451758);
+        assert_eq!(rng2.next_u64(), 6766915756997287454);
     }
 }
diff --git a/src/prng/hc128.rs b/src/prng/hc128.rs
@@ -350,7 +350,7 @@ impl RngCore for Hc128Rng {
             filled += filled_u8;
         }
 
-        let len_remainder = (dest.len() - filled) % 16;
+        let len_remainder = (dest.len() - filled) % (16 * 4);
         let len_direct = dest.len() - len_remainder;
 
         while filled < len_direct {
diff --git a/src/thread_rng.rs b/src/thread_rng.rs
@@ -17,6 +17,13 @@ use {RngCore, StdRng, SeedableRng, EntropyRng};
 use {Distribution, Uniform, Rng, Error};
 use reseeding::ReseedingRng;
 
+// Number of generated bytes after which to reseed `TreadRng`.
+//
+// The time it takes to reseed HC-128 is roughly equivalent to generating 7 KiB.
+// We pick a treshold here that is large enough to not reduce the average
+// performance too much, but also small enough to not make reseeding something
+// that basically never happens.
+const THREAD_RNG_RESEED_THRESHOLD: u64 = 32*1024*1024; // 32 MiB
 
 /// The type returned by [`thread_rng`], essentially just a reference to the
 /// PRNG in thread-local memory.
@@ -29,7 +36,6 @@ pub struct ThreadRng {
 
 thread_local!(
     static THREAD_RNG_KEY: Rc<RefCell<ReseedingRng<StdRng, EntropyRng>>> = {
-        const THREAD_RNG_RESEED_THRESHOLD: u64 = 32_768;
         let mut entropy_source = EntropyRng::new();
         let r = StdRng::from_rng(&mut entropy_source).unwrap_or_else(|err|
                 panic!("could not initialize thread_rng: {}", err));
@@ -46,21 +52,25 @@ thread_local!(
 /// `let mut rng = thread_rng();`.
 ///
 /// `ThreadRng` uses [`ReseedingRng`] wrapping a [`StdRng`] which is reseeded
-/// after generating 32KiB of random data. A single instance is cached per
+/// after generating 32 MiB of random data. A single instance is cached per
 /// thread and the returned `ThreadRng` is a reference to this instance — hence
 /// `ThreadRng` is neither `Send` nor `Sync` but is safe to use within a single
 /// thread. This RNG is seeded and reseeded via [`EntropyRng`] as required.
 /// 
 /// Note that the reseeding is done as an extra precaution against entropy
 /// leaks and is in theory unnecessary — to predict `thread_rng`'s output, an
 /// attacker would have to either determine most of the RNG's seed or internal
-/// state, or crack the algorithm used (ISAAC, which has not been proven
-/// cryptographically secure, but has no known attack despite a 20-year old
-/// challenge).
+/// state, or crack the algorithm used.
 /// 
+/// Like [`StdRng`], `ThreadRng` is a cryptographically secure PRNG. The current
+/// algorithm used is [HC-128], which is an array-based PRNG that trades memory
+/// usage for better performance. This makes it similar to ISAAC, the algorithm
+/// used in `ThreadRng` before rand 0.5.
+///
 /// [`ReseedingRng`]: reseeding/struct.ReseedingRng.html
 /// [`StdRng`]: struct.StdRng.html
 /// [`EntropyRng`]: struct.EntropyRng.html
+/// [HC-128]: struct.Hc128Rng.html
 pub fn thread_rng() -> ThreadRng {
     ThreadRng { rng: THREAD_RNG_KEY.with(|t| t.clone()) }
 }

Original file line number	Diff line number	Diff line change
`@@ -350,7 +350,7 @@ impl RngCore for Hc128Rng {`
`350`	`350`	`filled += filled_u8;`
`351`	`351`	`}`
`352`	`352`
`353`		`- let len_remainder = (dest.len() - filled) % 16;`
	`353`	`+ let len_remainder = (dest.len() - filled) % (16 * 4);`
`354`	`354`	`let len_direct = dest.len() - len_remainder;`
`355`	`355`
`356`	`356`	`while filled < len_direct {`