Add CryptoRng marker trait to ChaChaXCore

[coltfred]

Fixes #943.

[bjorn3]

$ChaChaXRng does implement CryptoRng.

[coltfred]

Yes, I k ow that. You cannot use that struct with ReseedingRng though. If you want to make a reseeding chacha rng you cannot make one that implements CryptoRng today. You could do this in Rand 0.6.

…

On Sat, Mar 7, 2020, 1:15 PM bjorn3 ***@***.***> wrote: $ChaChaXRng does implement CryptoRng. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#944?email_source=notifications&email_token=AAEPMN2SO7FC35XO32O4CI3RGKTN5A5CNFSM4LDSAKG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOEENSQ#issuecomment-596133578>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEPMN6YGLKFI56EZNQTHSDRGKTN5ANCNFSM4LDSAKGQ> .

[dhardy]

I think it would make sense to implement this only for the 12-round+ versions (i.e. not ChaCha8Rng / Core). @newpavlov do you agree?

[coltfred]

#932 points out that even chacha8 is secure, but it doesn't matter to me. If chacha8rng has it, the core should as well. Maybe removing those in 0.8? Seems like with reseeding, based on that paper, chacha8 would be satisfactory?

…

On Sun, Mar 8, 2020, 8:05 AM Diggory Hardy ***@***.***> wrote: I think it would make sense to implement this only for the 12-round+ versions (i.e. not ChaCha8Rng / Core). @newpavlov <https://github.com/newpavlov> do you agree? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#944?email_source=notifications&email_token=AAEPMN647EL7CP6O3ME6YDTRGOQZBA5CNFSM4LDSAKG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOEW4OI#issuecomment-596209209>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEPMNYIQ64Z3NZMDFVIABLRGOQZBANCNFSM4LDSAKGQ> .

[dhardy]

As far as I know, ChaCha8 is secure (i.e. unbroken today). That is not the same as being recommended for use in cryptography: it has only a low margin of security. @tarcieri may like to comment, but IMO we shouldn't recommend ChaCha8 for cryptography, which is roughly what CryptoRng is for.

[tarcieri]

The "Too Much Crypto" paper recommended it, but it is debatable. (FWIW, the paper's author also co-authored the paper with the best known attack on ChaCha*)

The best known attack reduces ChaCha7 from 256-bits symmetric security to ~247-bits.

There are no known attacks against ChaCha8. Personally I think it's ok to consider it a CryptoRng.

[dhardy]

Fair enough. In that case, I approve this PR.