Niels Möller nisse at
Mon Apr 15 12:19:08 UTC 2019

tg at (Torbjörn Granlund) writes:

> What do people here think, do we need SP 800-108a or is my simple
> AES_encrypt(cnt,key) good enough for GMP?

I guess you need to spell out the requirements for that question to make
sense. Why does GMP need a cryptographic PRNG?

I haven't read the NIST document (and I don't have time to do it at the
moment). You may also want to have look at, I think it
spells out the various attack scenarios clearly.

Also, not sure AES is the best choice if you just want to run a cipher
in counter mode. E.g., Chacha (a kind-of hash function designed by djb
for use as a fast and secure stream cipher) is both faster, simpler, and
easier to implement without side channels. See


Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.

More information about the gmp-devel mailing list