Use chacha in get_secure_random_bytes()

[danielgranhao]

Addresses #1958

[tnull]

Github won't let me get there, but note that rand_bytes_unique_start is still initialized but now unused:

https://github.com/danielgranhao/rust-lightning/blob/a512d3dda038aec465122aeae2de4844c4cacfca/lightning/src/chain/keysinterface.rs#L1020-L1023

[danielgranhao]

@tnull Thank you for your comments. Somehow I didn't notice the unused value warnings. In d3f14e7 I also removed rand_bytes_unique_start.

I'm still missing fixing the failing test ln::functional_tests::test_duplicate_payment_hash_one_failure_one_success(). I will try to look a bit more into it, but if anybody has any intuition about the problem, suggestions on what to look for would be highly appreciated!

[TheBlueMatt]

#1984 should fix it :)

[jkczyz]

I think we can avoid three vec allocations by having a fixed array and copying the bytes into it.

[danielgranhao]

Thanks! I've changed to that approach in fac7b4e.

[TheBlueMatt]

We need to hash seed in here somehow. IMO we should keep it as a hash, basically the way it was and just complete the hash rather than leaving it as an unfinished engine.

[tnull]

Yeah, was thinking we may just want to restore and use the original rand_bytes_unique_start as the ChaCha seed?

[TheBlueMatt]

Yea, restore the old code but complete the hash.

[danielgranhao]

Ok, if I understood you correctly, this is what you propose -> 6472af6

[TheBlueMatt]

You have to join these threads at the end, no?

[danielgranhao]

yep, ty! Applied in 34fa5af

[TheBlueMatt]

I think this should be a util::atomic_counter::AtomicCounter.

[danielgranhao]

Applied in 6472af6

[danielgranhao]

I've rebased to take in the changes from #1984. I've added d08d4f8 just to check that fixing test_bump_penalty_txn_on_revoked_htlcs will fix the remaining CI checks. I suppose it needs an improvement similar to the one on test_duplicate_payment_hash_one_failure_one_success.

[TheBlueMatt]

LGTM, will let tnull take a look.

[tnull]

Alright, repeated the benchmarks locally, which drew a pretty clear picture:

| Threads | Method         | Time (ns) |
|---------+----------------+-----------|
| 1       | Hashing        | 1,805,139 |
| 1       | ChaCha/Mutex   | 6,308     |
| 1       | ChaCha/Counter | 10,725    |
| 3       | Hashing        | 1,875,495 |
| 3       | ChaCha/Mutex   | 144,687   |
| 3       | ChaCha/Counter | 18,778    |
| 5       | Hashing        | 1,898,584 |
| 5       | ChaCha/Mutex   | 92,116    |
| 5       | ChaCha/Counter | 40,465    |
|---------+----------------+-----------|

I'd say if we're confident in the counter method, it is probably the way to go.

That said, I'd also be happy to with the Mutex variant, as it's more straight forward, the performance difference is really not that big and realistically the kind of lock contention simulated in the benchmark is really unlikely to happen in production. Note however that in this case we may want to throw in a Sha256 for good measure, instead of using the seed directly.

[tnull]

nit: Rather than shadowing the variable, can we maybe rename this rand_engine_unique_start?

[danielgranhao]

Sure, applied in 1456770.

[TheBlueMatt]

I'm more comfortable using the counter method - the ChaCha in-crate rolls doesn't handle chacha counter rollover, meaning it breaks at u32::MAX * 64 bytes, which, okay, we're not gonna hit, but still, the version with the counter doesn't.

[TheBlueMatt]

Please also rebase/squash the fixup commit at the end into the appropriate commit.

[tnull]

Looks good, I think I'm ACK after the tests pass.