Re: Proposal for a non-periodic CPRNG (WARNING: CROSSPOST!)

I replied in the other thread (the one on sci.crypt.random-numbers),
but this one seems more popular so I may as well post here too.

The gist is, there are several problems:

An infinite period doesn't actually add any value.

LFSRs with that kind of self-shrinking applied fail general purpose
statistical tests. I tested two LFSR/GFSRs of very different sizes,
with and without shrinking, on the PractRand core battery of tests:
xorshift64
description: a 64 bit "xorshift" LFSR from one of Marsaglias papers
performance without shrinking: failed after 8 MB
performance with shrinking: failed after 32 MB
mt19937_unhashed
description: the mersenne twister GFSR, but without the
"tempering" (aka output hashing)
performance without shrinking: failed after 32 GB
performance with shrinking: failed after 1 TB

Shrinking RNGs are very slow; 3 million bits per second is nothing
compared to, say, the 4 to 6 billion bits per second per core that the
high quality CSPRNG "HC-256" produces on my computer. Optimization
can help significantly, but shrinking remains slower than alternatives
no matter how much optimizing is done.

The use of a full cycles worth of each LFSR CP produces patterns of
uniformity that allows the boundary between one CP and the next to be
detected, at least when the underlieing LFSR CPs have maximal
period.

Some means of filtering out lower qualiy CPs is required, as some
randomly chosen CPs can be very very bad.

The linear nature of the sequence of CPs chosen creates problems if
you assume that enough output will be used to force CP changes,
particularly with respect to seeding.
.