On Tue, 26 Mar 2013, Milan Broz wrote: > - Are we sure we are not inroducing some another side channel in disc > encryption? (Unprivileged user can measure timing here). > (Perhaps stupid reason but please do not prefer performance to security > in encryption. Enough we have timing attacks for AES implementations...) So use serpent - it is implemented without any data-dependent lookup tables, so it has no timing attacks. AES uses data-dependent lookup tables, on CPU with hyperthreding, the second thread can observe L1 cache footprint done by the first thread and get some information about data being encrypted... Mikulas _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt