ChaCha20 as optional ThreadRng algorithm

[zairly]

Background

What is your motivation?

• ChaCha12 is the current algorithm for ThreadRng, and there’s no simple way to change it, while keeping all the nice thread-local ergonomics, auto reseeding, and a feature rich API.
• ChaCha20 is the IETF standard, more future-proof algorithm. It provides better security margin at the cost of slightly worse performance. For vast majority of programs, it’s overkill. But for security-sensitive programs and for peace of mind, it can be worth it.

What type of application is this? (E.g. cryptography, game, numerical simulation)
Cryptography

Feature request

Add a simple way to switch to ChaCha20 as the default ThreadRng algorithm.

This could be done with an opt-in feature flag, that, when enabled, would change the underlying ThreadRng algorithm to ChaCha20.

It could be implemented without any breaking changes. The API would stay the same, except it’d just use the other algorithm internally.

println!("{}", rng().random_range(0..100));
            // ^^^^^ uses ChaCha20 if explicitly enabled;
            //       otherwise still uses ChaCha12

Happy to make a PR if this looks good.

[dhardy]

Does #932 suffice to change your opinion on this?

[dhardy]

I don't believe feature flags are a good solution here: we cannot simultaneously claim that ThreadRng is unpredictable and provide a feature for a "more secure alternative, for peace of mind".

If there were any issue with ChaCha12, there is little reason to believe that ChaCha20 would be any better: it is based on the same design.

If you have evidence of unsuitability of ChaCha12 please provide it. (If you wish to use a more private channel, that can be arranged, the easiest being use of the "Security" tab above.)

Note also the documentation on ThreadRng security.