tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: cprng_fast performance - please review.

   Date: Fri, 18 Apr 2014 19:58:06 +0200
   From: Markku-Juhani Olavi Saarinen <>

   If you want to get rid of RC4, use AES in CTR mode. It is standard,
   compact, clean, and really fast solution. May sound boring, but gives
   me a feel of solid security engineering.

We use that for /dev/u?random and cprng_strong(9).  It's much slower
than RC4, Salsa20, and ChaCha, and it, too, has cache-timing side
channels without hardware assistance.

   Note that majority of systems now have the AES-NI instructions which
   speed up AES implementations by an order of magnitude. The
   implementations have a really small code + ram footprint.

The majority of systems certainly don't have AES-NI.  Only some recent
Intel CPUs do, and we can't use it in the kernel anyway.  The RAM
footprint for software implementations is much larger than Salsa20 or
ChaCha.  The point of cprng_fast(9) is to be cheap enough that nobody
is ever tempted to use a non-cryptographic PRNG.

Home | Main Index | Thread Index | Old Index