Pedro Gimeno gmpdevel at
Mon Apr 15 21:27:00 UTC 2019

Niels Möller wrote on 15/04/2019 20.01:

> Pedro Gimeno <gmpdevel at> writes:
>> It should not be a problem for AES256. It's kinda unusual to need
>> something around 2^136 random bits, to say the least. For AES128, it
>> should be mostly fine, but it might introduce a slight bias in some
>> applications. For any 64-bit cipher, this method would clearly be
>> defective without re-keying.
> The key is kind-of fixed, so it should be the cipher's *block size* that
> matters, not the key size, right?

Yes, my bad, apologies. I thought AES256 used a 256-bit block size. Now I see that it refers to key size. When I said 64-bit cipher I obviously meant block size as well.

Anyway, that brings up another point: how would seeding work? Should the seed be used verbatim, like, should the first N bits of the seed used directly as a key? Should some bits of the key be reserved, e.g. for a counter, in case we decide in future to re-key?

More information about the gmp-devel mailing list