Am Donnerstag, 2. Juni 2016, 16:40:12 schrieb Herbert Xu: Hi Herbert, > On Tue, May 31, 2016 at 01:23:21PM +0200, Stephan Mueller wrote: > > Hence my question: shall we leave the HMAC DRBG as default or shall we use > > the CTR DRBG as default? > > I don't really care one way or another. > > BTW why did you use the crypto_cipher aes interface instead of > the crypto_skcipher ctr(aes) interface which would likely make > your code run many orders-of-magnitude faster, especially with > aesni-intel? I considered such approach, but the crux is the following: for the CTR DRBG generate function, our state is 16 bytes (i.e. the AES block length). Out of those 16 bytes, we generate the random number by encrypting that block, incrementing the block by one and encrypt it again. In essence what we do here is the stream cipher part of the CTR mode which generates the data stream we use to XOR the input data with. The skcipher API, however, wants to encrypt an entire input data stream. That means the skcipher API requires the length of the input data stream to generate an equally sized output data stream. But that is not what we have here -- there is no input data. I.e. the skcipher API invokes the CTR mode for the stream cipher and performs the final XOR of the CTR stream with the input data. Currently I would not see a way how to access the CTR mode stream cipher part only via the skcipher API. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html