Aloha! On 2012-06-19 11:30 , coderman wrote: > On Tue, Jun 19, 2012 at 12:48 AM, Marsh Ray <ma...@extendedsubset.com> wrote: >> So something is causing AES-NI to take 300 clocks/block to run this DRBG. >> Again, more than 3x slower than the benchmarks I see for the hardware >> primitive. My interpretation is that either RdRand is blocking due to >> "entropy depletion", there's some internal data pipe bottleneck, or maybe >> some of both. > > it is also seeding from the physical noise sources, running sanity > checks of some type, and then handing over to DRBG. so there is > clearly more involved than just a call to AES-NI. 3x as expensive > doesn't sound unreasonable if the seeding and validation overhead is > significant.
I might be missing something. But is it clear that Bull Mountain is actually using AES-NI? I assumed that one would like to use a separate HW-engine. Reading from the CRI paper seems (to me) to suggest that this is actually the case: "Entropy conditioning is done via two independent AES-CBC-MAC chains, one for the generator’s key and one for its counter. AES-CBC-MAC should be suitable as an entropy extractor, and allows reuse of the module’s AES hardware." -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. ========================================================================
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography