AES-NI, symmetric key generation

Werner Koch wk at
Tue Mar 10 22:13:34 CET 2015

On Tue, 10 Mar 2015 20:33, maricelgregoraschko at said:

> I admit I haven't looked at the AES-NI instruction set, but I've read
> that it could be easy for the CPU to reconstruct the key from a

Possible.  It is also easy to detect the instructions used for software
based AES keyscheduling and leak the key from that knowledge.  I'd pick
AES-NI for its better performace and SCA resistance.

RDRAND for random numbers is a different story.  No sane crypto tool
should soley rely on this instruction.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list