Support is provided on a best-effort bases only. No binding guarantees can be provided.
Rand provides the trait
rand::CryptoRng as a marker trait. Generators implementating
CryptoRng, and given the additional constraints that:
SeedableRng) are constructed with cryptographically secure seed values
are expected to provide the following:
For some RNGs, notably
ThreadRng and those wrapped by
ReseedingRng, we provide limited mitigations against side-channel attacks:
Additionally, derivations from such an RNG (including the
Rng trait, implementations of the
Distribution trait, and
seq algorithms) should not introduce signficant bias other than that expected from the operation in question (e.g. bias from a weighted distribution).
We will attempt to uphold these premises in the following crate versions, provided that only the latest patch version is used, and with potential exceptions for theoretical issues without a known exploit:
|0.2 - 0.5|
|0.1 - 0.2|
|0.1 - 0.2|
Explanation of exceptions:
JitterRngis used as an entropy source when the primary source fails; this source may not be secure against side-channel attacks, see #699.
thread_rngis difficult to analyse and thus cannot provide strong assertions of security.
rand version 0.3 (0.3.18 and later), if
thread_rng is seeded from the system time in an insecure manner.