Investigate/implement Randen RNG

[dhardy]

The Randen RNG is supposed to be secure, very fast, relatively small state (apparently 264 bytes) and backtracking resistant, which could make it a good candidate for ThreadRng.

It would of course be preferable to have a Rust implementation.

We should further investigate the security claims before use.

[pitdicker]

On the negative side, it is very new, the paper is even not yet published, it is only fast with hardware support, and I suppose it needs a couple of years to build up trust in it.

Maybe we should hold off on getting exited.

[vks]

According to a Reddit comment, it works for most hardware that is less than 10 years old.

[dhardy]

To quote another Redditor:

You're recommending that a cryptographic component be added that appears to have very little review done so far. Like, for example, the original version Simpira permutation had to be substantially revised because an attack was found, and Randen doesn't even use Simpira v2 directly, but a modification thereof to double the permutation size to 2,048 bits.

I think the word here is "premature."

Without much security review I don't think it has a lot of use to us (even if it is fast), so opening this is premature I guess.

[vks]

If it is faster than PCG and similar, it is still interesting as a non-CSPRNG!

[dhardy]

Yes, but with the caveat that it is more complicated to implement and has certain hardware dependencies. I'm not saying we won't consider including an implementation in Rand (it's definitely interesting), but it's not of particular interest (and we have too many open issues).

[vks]

Agreed, this issue is kind of a duplicate of #299 anyway.