Random number generator enhancements for Linux 5.17 and 5.18
by Jason A. Donenfeld (zx2c4 <https://www.zx2c4.com/>), 2022-03-18
The random number generator has undergone a few important changes for Linux 5.17 and 5.18, in an attempt to modernize both the code and the cryptography used. The smaller part of these will be released with 5.17 on Sunday, while the larger part will be merged into 5.18 on Monday, which should receive its first release candidate in a few weeks and a release in a few months.
As Iwrote to Linus
...
In a similar vein, the interrupt entropy accumulator has been reworked inrandom: use SipHash as interrupt entropy accumulator <https://git.kernel.org/crng/random/c/f5eab0e2db4f>
...
|siphash_state_t irq_state = siphash_init(key={0, 0, 0, 0});
I find this decision strange and worrying. siphash was not designed for entropy condensation. It is not a cryptographic hash, but was designed to have one cryptographic strength: It was designed to be used with a strong random secret key. The design objective was that an enemy knowing some hashes of some values cannot predict other hashes of other values. There is no reason to expect that it is a useful and effective entropy condenser. That was not the design objective. A non cryptographic hash designed around criteria related to bit diffusion and order transformation would have been better.