Am Mittwoch, 8. Juni 2016, 09:56:42 schrieb Stephan Mueller: Hi Stephan, > Am Mittwoch, 8. Juni 2016, 10:41:40 schrieb Herbert Xu: > > Hi Herbert, > > > On Thu, Jun 02, 2016 at 02:06:55PM +0200, Stephan Mueller wrote: > > > I am working on it. During the analysis, I saw, however, that the DRBG > > > increments the counter before the encryption whereas the the CTR mode > > > increments it after the encryption. > > > > > > I could of course adjust the handling in the code, but this would be a > > > real > > > hack IMHO. > > > > Changing the order of increment is equivalent to changing the IV, no? > > I finally got it working. All I needed to do is to add a crypto_inc(V) after > a recalculation of V. One addition: my NULL vector is 128 bytes in size. > > The performance with ctr-aes-aesni on 64 bit is as follows -- I used my LRNG > implementation for testing for which I already have performance > measurements: > > - generating smaller lengths (I tested up to 128 bytes) of random numbers > (which is the vast majority of random numbers to be generated), the > performance is even worse by 10 to 15% > > - generating larger lengths (tested with 4096 bytes) of random numbers, the > performance increases by 3% > > Using ctr(aes-aesni) on 32 bit, the numbers are generally worse by 5 to 10%. > > So, with these numbers, I would conclude that switching to the CTR mode is > not worthwhile. > > Ciao > Stephan > -- > To unsubscribe from this list: send the line "unsubscribe linux-crypto" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html