On mar., 2013-04-09 at 20:40 +0200, Arno Wagner wrote: > > AES uses data-dependent lookup tables, on CPU with hyperthreding, the > > second thread can observe L1 cache footprint done by the first thread and > > get some information about data being encrypted... > > Yes, but that is not the only potential problem. For example, with > Intel now implementing voltage regulators on the CPU, we may > even see power-usage based leaks. If you are paranoid, constant > time-contant-power implementations are the only solution. And > while feasible, they are sloooooooowwwwww... Note that on those CPUs AES should usually use AES-NI so timing attacks using the cache should not be that relevant… Regards, -- Yves-Alexis _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
