Torbjörn Granlund tg at
Mon Apr 15 12:22:56 UTC 2019

nisse at (Niels Möller) writes:

  I guess you need to spell out the requirements for that question to make
  sense. Why does GMP need a cryptographic PRNG?

My main goal is not to provide a PRNG for direct cryptographic use, but
rather to provide a great and efficient PRNG.

  I haven't read the NIST document (and I don't have time to do it at the
  moment). You may also want to have look at, I think it
  spells out the various attack scenarios clearly.

Will read!

  Also, not sure AES is the best choice if you just want to run a cipher
  in counter mode. E.g., Chacha (a kind-of hash function designed by djb
  for use as a fast and secure stream cipher) is both faster, simpler, and
  easier to implement without side channels. See

Chacha is an alternative, and is curely useful when no AES acceleration
is available.  But AES might actually be (much!) faster on current x86

Please encrypt, key id 0xC8601622

More information about the gmp-devel mailing list