Niels Möller nisse at
Mon Apr 15 12:44:46 UTC 2019

tg at (Torbjörn Granlund) writes:

> Chacha is an alternative, and is curely useful when no AES acceleration
> is available.  But AES might actually be (much!) faster on current x86
> hardwate:

Hmm. Speed of aes using the special instructions seem better than I
remembered. In my implementation, aes128 is 1.3 cycles/byte, aes256 is
2.0 c/b, and chacha 6.7 c/b. On the other hand, chacha is pretty fast on
any architecture, and can make use of any reasonable set of simd

> My main goal is not to provide a PRNG for direct cryptographic use, but
> rather to provide a great and efficient PRNG.

For non-cryptographic purposes, I guess one can also consider chacha
with reduced number of rounds, but one then loses the advantage of using
a well-establiched building block.


Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.

More information about the gmp-devel mailing list