PRNG i GMP

Torbjörn Granlund tg at gmplib.org
Mon Apr 15 12:22:56 UTC 2019


nisse at lysator.liu.se (Niels Möller) writes:

  I guess you need to spell out the requirements for that question to make
  sense. Why does GMP need a cryptographic PRNG?

My main goal is not to provide a PRNG for direct cryptographic use, but
rather to provide a great and efficient PRNG.

  I haven't read the NIST document (and I don't have time to do it at the
  moment). You may also want to have look at
  https://www.schneier.com/academic/paperfiles/fortuna.pdf, I think it
  spells out the various attack scenarios clearly.

Will read!

  Also, not sure AES is the best choice if you just want to run a cipher
  in counter mode. E.g., Chacha (a kind-of hash function designed by djb
  for use as a fast and secure stream cipher) is both faster, simpler, and
  easier to implement without side channels. See
  https://en.wikipedia.org/wiki/Salsa20.

Chacha is an alternative, and is curely useful when no AES acceleration
is available.  But AES might actually be (much!) faster on current x86
hardwate:

https://calomel.org/aesni_ssl_performance.html

-- 
Torbjörn
Please encrypt, key id 0xC8601622


More information about the gmp-devel mailing list