Torbjörn Granlund tg at
Mon Apr 15 13:50:47 UTC 2019

nisse at (Niels Möller) writes:

  Hmm. Speed of aes using the special instructions seem better than I
  remembered. In my implementation, aes128 is 1.3 cycles/byte, aes256 is
  2.0 c/b, and chacha 6.7 c/b. On the other hand, chacha is pretty fast on
  any architecture, and can make use of any reasonable set of simd

The performance is awesome.

A possible disadvantage is non-x86 hardware.  I know Arm has someting,
but instruction availablility on Arm is an absolute nightmare.

I dunno about POWER.

Our current default PRNG is also very fast, IIRC it does on the order of
10 Gbit/s on current hardware.

I don't think we need to squeeze every cycle out of GMP's PRNG
functions. They should be fast enough not to bootleneck testing, and be
broadly useable.

I widely understood algorithm is also a big advantage.

  For non-cryptographic purposes, I guess one can also consider chacha
  with reduced number of rounds, but one then loses the advantage of using
  a well-establiched building block.

If we use chacha with fewer rounds, we should perhaps not mention chacha
in the docs, as else somebody would surely use it for something
cryptographic and get a surprise.

Please encrypt, key id 0xC8601622

More information about the gmp-devel mailing list