tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: cprng_fast performance - please review.

On Fri, Apr 18, 2014 at 8:11 PM, Taylor R Campbell
<> wrote:
>    Date: Fri, 18 Apr 2014 19:58:06 +0200
>    From: Markku-Juhani Olavi Saarinen <>
>    If you want to get rid of RC4, use AES in CTR mode. It is standard,
>    compact, clean, and really fast solution. May sound boring, but gives
>    me a feel of solid security engineering.
> We use that for /dev/u?random and cprng_strong(9).  It's much slower
> than RC4, Salsa20, and ChaCha, and it, too, has cache-timing side
> channels without hardware assistance.

Agreed. AES is worse if you don't have AES-NI.

It has been there on all new systems purchased in some last 3 years,
so I would *guess* that it would be > 50% of systems fielded out

The implementation size really goes down with the instructions since
the large tables are eliminated (they're on the chip). Few hundred

- markku

Home | Main Index | Thread Index | Old Index