PRNG i GMP
Niels Möller
nisse at lysator.liu.se
Mon Apr 15 12:19:08 UTC 2019
tg at gmplib.org (Torbjörn Granlund) writes:
> What do people here think, do we need SP 800-108a or is my simple
> AES_encrypt(cnt,key) good enough for GMP?
I guess you need to spell out the requirements for that question to make
sense. Why does GMP need a cryptographic PRNG?
I haven't read the NIST document (and I don't have time to do it at the
moment). You may also want to have look at
https://www.schneier.com/academic/paperfiles/fortuna.pdf, I think it
spells out the various attack scenarios clearly.
Also, not sure AES is the best choice if you just want to run a cipher
in counter mode. E.g., Chacha (a kind-of hash function designed by djb
for use as a fast and secure stream cipher) is both faster, simpler, and
easier to implement without side channels. See
https://en.wikipedia.org/wiki/Salsa20.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
More information about the gmp-devel
mailing list