PRNG i GMP
Torbjörn Granlund
tg at gmplib.org
Mon Apr 15 12:22:56 UTC 2019
nisse at lysator.liu.se (Niels Möller) writes:
I guess you need to spell out the requirements for that question to make
sense. Why does GMP need a cryptographic PRNG?
My main goal is not to provide a PRNG for direct cryptographic use, but
rather to provide a great and efficient PRNG.
I haven't read the NIST document (and I don't have time to do it at the
moment). You may also want to have look at
https://www.schneier.com/academic/paperfiles/fortuna.pdf, I think it
spells out the various attack scenarios clearly.
Will read!
Also, not sure AES is the best choice if you just want to run a cipher
in counter mode. E.g., Chacha (a kind-of hash function designed by djb
for use as a fast and secure stream cipher) is both faster, simpler, and
easier to implement without side channels. See
https://en.wikipedia.org/wiki/Salsa20.
Chacha is an alternative, and is curely useful when no AES acceleration
is available. But AES might actually be (much!) faster on current x86
hardwate:
https://calomel.org/aesni_ssl_performance.html
--
Torbjörn
Please encrypt, key id 0xC8601622
More information about the gmp-devel
mailing list