Am Mittwoch, 8. Juni 2016, 10:41:40 schrieb Herbert Xu: Hi Herbert, > On Thu, Jun 02, 2016 at 02:06:55PM +0200, Stephan Mueller wrote: > > I am working on it. During the analysis, I saw, however, that the DRBG > > increments the counter before the encryption whereas the the CTR mode > > increments it after the encryption. > > > > I could of course adjust the handling in the code, but this would be a > > real > > hack IMHO. > > Changing the order of increment is equivalent to changing the IV, no? I finally got it working. All I needed to do is to add a crypto_inc(V) after a recalculation of V. The performance with ctr-aes-aesni on 64 bit is as follows -- I used my LRNG implementation for testing for which I already have performance measurements: - generating smaller lengths (I tested up to 128 bytes) of random numbers (which is the vast majority of random numbers to be generated), the performance is even worse by 10 to 15% - generating larger lengths (tested with 4096 bytes) of random numbers, the performance increases by 3% Using ctr(aes-aesni) on 32 bit, the numbers are generally worse by 5 to 10%. So, with these numbers, I would conclude that switching to the CTR mode is not worthwhile. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html