PRNG i GMP
Torbjörn Granlund
tg at gmplib.org
Mon Apr 15 19:57:16 UTC 2019
Thanks Pedro, you're making some very good points!
Interesting. To get around this, one could perhaps use
AES_encrypt(cnt, key) + cnt
which no longer is a permutation (viewed as a function of cnt).
Or return the low bit k bits (not all 128)?
You'd have to derive the subkeys for each call, which I think would add
significant overhead. Even if I think there are some special
instructions to help. My implementation doesn't use anything special for
key setup, since it's usually not that performance critical.
If I understand the calomel page (which I linked) right, anything but
counter mode incurs significant slodown. I think I understand why this
is so.
--
Torbjörn
Please encrypt, key id 0xC8601622
More information about the gmp-devel
mailing list