Re: Patch: cprng_fast performance - please review.

To: Markku-Juhani Olavi Saarinen <mjos%iki.fi@localhost>
Subject: Re: Patch: cprng_fast performance - please review.
From: Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>
Date: Fri, 18 Apr 2014 18:11:39 +0000

   Date: Fri, 18 Apr 2014 19:58:06 +0200
   From: Markku-Juhani Olavi Saarinen <mjos%iki.fi@localhost>

   If you want to get rid of RC4, use AES in CTR mode. It is standard,
   compact, clean, and really fast solution. May sound boring, but gives
   me a feel of solid security engineering.

We use that for /dev/u?random and cprng_strong(9).  It's much slower
than RC4, Salsa20, and ChaCha, and it, too, has cache-timing side
channels without hardware assistance.

   Note that majority of systems now have the AES-NI instructions which
   speed up AES implementations by an order of magnitude. The
   implementations have a really small code + ram footprint.

The majority of systems certainly don't have AES-NI.  Only some recent
Intel CPUs do, and we can't use it in the kernel anyway.  The RAM
footprint for software implementations is much larger than Salsa20 or
ChaCha.  The point of cprng_fast(9) is to be cheap enough that nobody
is ever tempted to use a non-cryptographic PRNG.

Follow-Ups:
- Re: Patch: cprng_fast performance - please review.
  - From: Thor Lancelot Simon
- Re: Patch: cprng_fast performance - please review.
  - From: Markku-Juhani Olavi Saarinen

References:
- Re: Patch: cprng_fast performance - please review.
  - From: Markku-Juhani Olavi Saarinen

Prev by Date: Re: Patch: cprng_fast performance - please review.
Next by Date: Re: Patch: cprng_fast performance - please review.
Previous by Thread: Re: Patch: cprng_fast performance - please review.
Next by Thread: Re: Patch: cprng_fast performance - please review.
Indexes:

Home | Main Index | Thread Index | Old Index