---------- Forwarded message ---------- From: Theo de Raadt Date: Wed, Sep 9, 2015 at 10:42 AM Subject: Re: getentropy, getrandom, arc4random() To: firstname.lastname@example.org
been speaking to a significant go person.
it takes data out of that buffer, and does not zero it behind itself. obviously for performance reasons.
same type of thing happens with MT-style engines. in practice, they can be would backwards. a proper stream cipher cannot be turned backwards.
however, that's just an academic observation. or maybe it indicates that well-financed groups can get it wrong too.
by the way, chacha arc4random can create random values faster than a memcpy -- the computation of fresh output is faster than doing gross-cost of "read" from memory (when cache dirtying is accounted for).