Torbjörn Granlund tg at
Mon Apr 15 19:57:16 UTC 2019

Thanks Pedro, you're making some very good points!

  Interesting. To get around this, one could perhaps use

    AES_encrypt(cnt, key) + cnt

  which no longer is a permutation (viewed as a function of cnt).

Or return the low bit k bits (not all 128)?

  You'd have to derive the subkeys for each call, which I think would add
  significant overhead. Even if I think there are some special
  instructions to help. My implementation doesn't use anything special for
  key setup, since it's usually not that performance critical.

If I understand the calomel page (which I linked) right, anything but
counter mode incurs significant slodown.  I think I understand why this
is so.

Please encrypt, key id 0xC8601622

More information about the gmp-devel mailing list