PRNG i GMP
tg at gmplib.org
Mon Apr 15 12:22:56 UTC 2019
nisse at lysator.liu.se (Niels Möller) writes:
I guess you need to spell out the requirements for that question to make
sense. Why does GMP need a cryptographic PRNG?
My main goal is not to provide a PRNG for direct cryptographic use, but
rather to provide a great and efficient PRNG.
I haven't read the NIST document (and I don't have time to do it at the
moment). You may also want to have look at
https://www.schneier.com/academic/paperfiles/fortuna.pdf, I think it
spells out the various attack scenarios clearly.
Also, not sure AES is the best choice if you just want to run a cipher
in counter mode. E.g., Chacha (a kind-of hash function designed by djb
for use as a fast and secure stream cipher) is both faster, simpler, and
easier to implement without side channels. See
Chacha is an alternative, and is curely useful when no AES acceleration
is available. But AES might actually be (much!) faster on current x86
Please encrypt, key id 0xC8601622
More information about the gmp-devel