#
1.3 |
|
19-Sep-2019 |
riastradh |
Use an explicit run-time assertion where compile-time doesn't work.
|
#
1.2 |
|
19-Sep-2019 |
riastradh |
Use CTASSERT where possible, run-time assertion where not.
Should fix negative-length variable-length array found by kamil.
|
#
1.1 |
|
02-Sep-2019 |
riastradh |
branches: 1.1.2; 1.1.4; 1.1.6; 1.1.8; 1.1.10; Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.
Benefits:
- larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests
Drawbacks:
- performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away...
XXX pullup-7 XXX pullup-8 XXX pullup-9
|
#
1.1 |
|
02-Sep-2019 |
riastradh |
branches: 1.1.2; Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.
Benefits:
- larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests
Drawbacks:
- performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away...
XXX pullup-7 XXX pullup-8 XXX pullup-9
|