@@ -175,32 +175,32 @@ where
175175 }
176176}
177177
178- /// A marker trait used to indicate that an [`RngCore`] implementation is
179- /// supposed to be cryptographically secure.
180- ///
181- /// *Cryptographically secure generators*, also known as *CSPRNGs*, should
182- /// satisfy an additional properties over other generators: given the first
183- /// *k* bits of an algorithm's output
178+ /// A marker trait over [`RngCore`] for securely unpredictable RNGs
179+ ///
180+ /// This marker trait indicates that the implementing generator is intended,
181+ /// when correctly seeded and protected from side-channel attacks such as a
182+ /// leaking of state, to be a cryptographically secure generator. This trait is
183+ /// provided as a tool to aid review of cryptographic code, but does not by
184+ /// itself guarantee suitability for cryptographic applications.
185+ ///
186+ /// Implementors of `CryptoRng` automatically implement the [`TryCryptoRng`]
187+ /// trait.
188+ ///
189+ /// Implementors of `CryptoRng` should only implement [`Default`] if the
190+ /// `default()` instances are themselves secure generators: for example if the
191+ /// implementing type is a stateless interface over a secure external generator
192+ /// (like [`OsRng`]) or if the `default()` instance uses a strong, fresh seed.
193+ ///
194+ /// Formally, a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)
195+ /// should satisfy an additional property over other generators: assuming that
196+ /// the generator has been appropriately seeded and has unknown state, then
197+ /// given the first *k* bits of an algorithm's output
184198/// sequence, it should not be possible using polynomial-time algorithms to
185199/// predict the next bit with probability significantly greater than 50%.
186200///
187- /// Some generators may satisfy an additional property, however this is not
188- /// required by this trait: if the CSPRNG's state is revealed, it should not be
189- /// computationally-feasible to reconstruct output prior to this. Some other
190- /// generators allow backwards-computation and are considered *reversible*.
191- ///
192- /// Note that this trait is provided for guidance only and cannot guarantee
193- /// suitability for cryptographic applications. In general it should only be
194- /// implemented for well-reviewed code implementing well-regarded algorithms.
195- ///
196- /// Note also that use of a `CryptoRng` does not protect against other
197- /// weaknesses such as seeding from a weak entropy source or leaking state.
198- ///
199- /// Note that implementors of [`CryptoRng`] also automatically implement
200- /// the [`TryCryptoRng`] trait.
201- ///
202- /// [`BlockRngCore`]: block::BlockRngCore
203- /// [`Infallible`]: core::convert::Infallible
201+ /// An optional property of CSPRNGs is backtracking resistance: if the CSPRNG's
202+ /// state is revealed, it will not be computationally-feasible to reconstruct
203+ /// prior output values. This property is not required by `CryptoRng`.
204204pub trait CryptoRng : RngCore { }
205205
206206impl < T : DerefMut > CryptoRng for T where T :: Target : CryptoRng { }
@@ -269,10 +269,20 @@ impl<R: RngCore> TryRngCore for R {
269269 }
270270}
271271
272- /// A marker trait used to indicate that a [`TryRngCore`] implementation is
273- /// supposed to be cryptographically secure.
272+ /// A marker trait over [`TryRngCore`] for securely unpredictable RNGs
273+ ///
274+ /// This trait is like [`CryptoRng`] but for the trait [`TryRngCore`].
275+ ///
276+ /// This marker trait indicates that the implementing generator is intended,
277+ /// when correctly seeded and protected from side-channel attacks such as a
278+ /// leaking of state, to be a cryptographically secure generator. This trait is
279+ /// provided as a tool to aid review of cryptographic code, but does not by
280+ /// itself guarantee suitability for cryptographic applications.
274281///
275- /// See [`CryptoRng`] docs for more information about cryptographically secure generators.
282+ /// Implementors of `TryCryptoRng` should only implement [`Default`] if the
283+ /// `default()` instances are themselves secure generators: for example if the
284+ /// implementing type is a stateless interface over a secure external generator
285+ /// (like [`OsRng`]) or if the `default()` instance uses a strong, fresh seed.
276286pub trait TryCryptoRng : TryRngCore { }
277287
278288impl < R : CryptoRng > TryCryptoRng for R { }
0 commit comments