[PATCH] member: fix PRNG seed reset in NitroSketch mode

[PATCH] member: fix PRNG seed reset in NitroSketch mode

[Dmitry Kozlyuk]

Sketch creation seeded the global PRNG
using the supplied seed for hashing.
The use of this seed by SKETCH set summary was not documented.
SKETCH set summary does not require two independent hash seeds,
unlike other set summary types.
Seeding the global PRNG at sketch creation
does not make the sketch operation deterministic:
it uses rte_rand() later, the PRNG may be seeded again by that point.
On the other hand, seeding the global PRNG with a hash seed,
is likely undesired, because it may be low-entropy or even constant.
Deterministic operation can be achieved by seeding the PRNG externally.

Remove the call to rte_srand() at sketch creation.
Document that hash seeds are not used by SKETCH set summary type.

Fixes: db354bd2e1f8 ("member: add NitroSketch mode")
Cc: leyi.rong@intel.com

Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
---
 lib/member/rte_member.h        | 1 +
 lib/member/rte_member_sketch.c | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/member/rte_member.h b/lib/member/rte_member.h
index 072a253c89..d08b143e51 100644
--- a/lib/member/rte_member.h
+++ b/lib/member/rte_member.h
@@ -314,6 +314,7 @@ struct rte_member_parameters {
 	 * for bucket location.
 	 * For vBF type, these two hashes and their combinations are used as
 	 * hash locations to index the bit array.
+	 * For Sketch type, these seeds are not used.
 	 */
 	uint32_t prim_hash_seed;
 
diff --git a/lib/member/rte_member_sketch.c b/lib/member/rte_member_sketch.c
index 524ba77620..d5f35aabe9 100644
--- a/lib/member/rte_member_sketch.c
+++ b/lib/member/rte_member_sketch.c
@@ -227,7 +227,6 @@ rte_member_create_sketch(struct rte_member_setsum *ss,
 		goto error_runtime;
 	}
 
-	rte_srand(ss->prim_hash_seed);
 	for (i = 0; i < ss->num_row; i++)
 		ss->hash_seeds[i] = rte_rand();
 
-- 
2.38.4

Re: [PATCH] member: fix PRNG seed reset in NitroSketch mode

[Thomas Monjalon]

Any comment?

20/06/2023 23:17, Dmitry Kozlyuk:
> Sketch creation seeded the global PRNG
> using the supplied seed for hashing.
> The use of this seed by SKETCH set summary was not documented.
> SKETCH set summary does not require two independent hash seeds,
> unlike other set summary types.
> Seeding the global PRNG at sketch creation
> does not make the sketch operation deterministic:
> it uses rte_rand() later, the PRNG may be seeded again by that point.
> On the other hand, seeding the global PRNG with a hash seed,
> is likely undesired, because it may be low-entropy or even constant.
> Deterministic operation can be achieved by seeding the PRNG externally.
> 
> Remove the call to rte_srand() at sketch creation.
> Document that hash seeds are not used by SKETCH set summary type.
> 
> Fixes: db354bd2e1f8 ("member: add NitroSketch mode")
> Cc: leyi.rong@intel.com
> 
> Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
> ---
>  lib/member/rte_member.h        | 1 +
>  lib/member/rte_member_sketch.c | 1 -
>  2 files changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/member/rte_member.h b/lib/member/rte_member.h
> index 072a253c89..d08b143e51 100644
> --- a/lib/member/rte_member.h
> +++ b/lib/member/rte_member.h
> @@ -314,6 +314,7 @@ struct rte_member_parameters {
>  	 * for bucket location.
>  	 * For vBF type, these two hashes and their combinations are used as
>  	 * hash locations to index the bit array.
> +	 * For Sketch type, these seeds are not used.
>  	 */
>  	uint32_t prim_hash_seed;
>  
> diff --git a/lib/member/rte_member_sketch.c b/lib/member/rte_member_sketch.c
> index 524ba77620..d5f35aabe9 100644
> --- a/lib/member/rte_member_sketch.c
> +++ b/lib/member/rte_member_sketch.c
> @@ -227,7 +227,6 @@ rte_member_create_sketch(struct rte_member_setsum *ss,
>  		goto error_runtime;
>  	}
>  
> -	rte_srand(ss->prim_hash_seed);
>  	for (i = 0; i < ss->num_row; i++)
>  		ss->hash_seeds[i] = rte_rand();
>  
> 

Re: [PATCH] member: fix PRNG seed reset in NitroSketch mode

[Stephen Hemminger]

On Wed, 21 Jun 2023 00:17:20 +0300
Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:

> Seeding the global PRNG at sketch creation
> does not make the sketch operation deterministic:
> it uses rte_rand() later, the PRNG may be seeded again by that point.
> On the other hand, seeding the global PRNG with a hash seed,
> is likely undesired, because it may be low-entropy or even constant.
> Deterministic operation can be achieved by seeding the PRNG externally.
> 
> Remove the call to rte_srand() at sketch creation.
> Document that hash seeds are not used by SKETCH set summary type.
> 
> Fixes: db354bd2e1f8 ("member: add NitroSketch mode")
> Cc: leyi.rong@intel.com
> 
> Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>

This raises a more global issue.
rte_srand() overrides the system seed which is set during startup.
This is a bad thing, it reduces the entropy in the random number generator.

There are two possible solutions to this:
1. Remove all all calls to rte_srand() and deprecate it.
2. Make rte_srand() add a fixed value to existing entropy. This is what the
   kernel PRNG does. It adds any user supplied additional entropy to original
   state.

Looking at current source.
  - code in tests seeding PRNG with TSC. This is unnecessary and can be removed.
  - this code in member library. Should be removed.

Acked-by: Stephen Hemminger <stephen@networkplumber.org>

Re: [PATCH] member: fix PRNG seed reset in NitroSketch mode

[Thomas Monjalon]

03/07/2023 17:54, Stephen Hemminger:
> On Wed, 21 Jun 2023 00:17:20 +0300
> Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:
> 
> > Seeding the global PRNG at sketch creation
> > does not make the sketch operation deterministic:
> > it uses rte_rand() later, the PRNG may be seeded again by that point.
> > On the other hand, seeding the global PRNG with a hash seed,
> > is likely undesired, because it may be low-entropy or even constant.
> > Deterministic operation can be achieved by seeding the PRNG externally.
> > 
> > Remove the call to rte_srand() at sketch creation.
> > Document that hash seeds are not used by SKETCH set summary type.
> > 
> > Fixes: db354bd2e1f8 ("member: add NitroSketch mode")
> > Cc: leyi.rong@intel.com
> > 
> > Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
> 
> This raises a more global issue.
> rte_srand() overrides the system seed which is set during startup.
> This is a bad thing, it reduces the entropy in the random number generator.
> 
> There are two possible solutions to this:
> 1. Remove all all calls to rte_srand() and deprecate it.
> 2. Make rte_srand() add a fixed value to existing entropy. This is what the
>    kernel PRNG does. It adds any user supplied additional entropy to original
>    state.
> 
> Looking at current source.
>   - code in tests seeding PRNG with TSC. This is unnecessary and can be removed.
>   - this code in member library. Should be removed.
> 
> Acked-by: Stephen Hemminger <stephen@networkplumber.org>

Applied, thanks.

What's next regarding rte_srand?

Re: [PATCH] member: fix PRNG seed reset in NitroSketch mode

[Stephen Hemminger]

On Thu, 06 Jul 2023 18:20:19 +0200
Thomas Monjalon <thomas@monjalon.net> wrote:

> > 
> > This raises a more global issue.
> > rte_srand() overrides the system seed which is set during startup.
> > This is a bad thing, it reduces the entropy in the random number generator.
> > 
> > There are two possible solutions to this:
> > 1. Remove all all calls to rte_srand() and deprecate it.
> > 2. Make rte_srand() add a fixed value to existing entropy. This is what the
> >    kernel PRNG does. It adds any user supplied additional entropy to original
> >    state.
> > 
> > Looking at current source.
> >   - code in tests seeding PRNG with TSC. This is unnecessary and can be removed.
> >   - this code in member library. Should be removed.
> > 
> > Acked-by: Stephen Hemminger <stephen@networkplumber.org>  
> 
> Applied, thanks.
> 
> What's next regarding rte_srand?

I am not a random number expert and the topic gets complex with tradeoffs.
How secure do you want versus how fast versus how paranoid.

OpenBSD is paranoid. Linux kernel chooses secure. Looks like DPDK is choosing fast
like FreeBSD prng.

The problem is (despite documentation) applications end up needing
a crypto-graphic secure random numbers. Examples are hash seeds or
session keys.