[RFC] DRBG: which shall be default?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Herbert,

with that patch, the CTR DRBG is the fasted DRBG by orders of magnitude -- 
about 2 times faster than the HMAC DRBG (current default) and 1.5 times faster 
than the Hash DRBG.

However, I am not too fond of the CTR DRBG due to the following that I already 
mentioned some days ago. Quote:

"""
the DF/BCC function in the DRBG is critical as I think it looses entropy 
IMHO. When you seed the DRBG with, say 256 or 384 bits of data, the BCC acts 
akin a MAC by taking the 256 or 384 bits and collapse it into one AES block of 
128 bits. Then he DF function expands this one block into the DRBG internal 
state including the AES key of 256 / 384 bits depending on the type of AES you 
use. So, if you have 256 bits of entropy in the seed, you have 128 bits left 
after the BCC operation.
"""


The current default of the HMAC DRBG is the leanest and cleanest, but it is 
also the slowest.

The fastest DRBG is the one that has the most complex state maintenance and I 
do not like parts of it.


Hence my question: shall we leave the HMAC DRBG as default or shall we use the 
CTR DRBG as default?

Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux