Hi Herbert, with that patch, the CTR DRBG is the fasted DRBG by orders of magnitude -- about 2 times faster than the HMAC DRBG (current default) and 1.5 times faster than the Hash DRBG. However, I am not too fond of the CTR DRBG due to the following that I already mentioned some days ago. Quote: """ the DF/BCC function in the DRBG is critical as I think it looses entropy IMHO. When you seed the DRBG with, say 256 or 384 bits of data, the BCC acts akin a MAC by taking the 256 or 384 bits and collapse it into one AES block of 128 bits. Then he DF function expands this one block into the DRBG internal state including the AES key of 256 / 384 bits depending on the type of AES you use. So, if you have 256 bits of entropy in the seed, you have 128 bits left after the BCC operation. """ The current default of the HMAC DRBG is the leanest and cleanest, but it is also the slowest. The fastest DRBG is the one that has the most complex state maintenance and I do not like parts of it. Hence my question: shall we leave the HMAC DRBG as default or shall we use the CTR DRBG as default? Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html