[Cryptography] randomness +- entropy
ianG
iang at iang.org
Sun Nov 10 04:57:01 EST 2013
On 9/11/13 16:59 PM, Theodore Ts'o wrote:
> On Sat, Nov 09, 2013 at 02:14:04PM +0300, ianG wrote:
>> Also, your use of the AES algorithm is entirely distinct to theirs.
>> You only go one way, like a hash, theirs is two way, encrypt and
>> decrypt, reversibly. You may be able to happily strip out parts of
>> AES in order to get a better efficiency, they cannot. E.g., it may
>> be possible to use less of the code and more of the AES instructions
>> directly to get all you need (I don't know, I'm just speculating
>> here...).
>
> The flip side of this is that there are multiple implementations of
> AES, optimized for x86, x86_32, x86 w/ the AES-NI instruction,
> Sparc64, and ARM. Plus the generic AES implementation, of course.
> Replicating all of this for the /dev/random driver would be a bit
> painful.
Ah, point. You pointed out earlier that AES was attractive because of
the AES-NI instruction ... which indicates a desire for speed.
I'm not sure about the need for speed here. I can't see the motivation
for it at all in pure RN project terms, it seems to just be the normal
obsession of programmers?
(In amusing contrast, many were sold on DRBG_EC, because it was slower,
in part...)
Also, it seems the preference to many is to block while not receiving
quality RNs; is speed really an issue?
> One option would be to find a generic AES algorithm which is optimized
> for size, as opposed to speed (so it doesn't have any assembly
> instructions or pre-generated tables which would bloat the kernel text
> size). For example, Ilya Levin has one[1] which compiles down to about
> 5k. Presumably it would be faster than the SHA-based generation
> code that I'm currently using, but I haven't tried measuring its speed
> on other platforms.
Presumably, if your need is only for whitening the output, you could
also look at SHA3. The core algorithm comes from the same team (or
close) and it has a lot of flexibility in its sponge construction that
might help it play a bigger part. It should be faster than AES.
> [1] http://www.literatecode.com/aes256
iang
More information about the cryptography
mailing list