Re: [PATCH v3] crypto: aes - add generic time invariant AES cipher

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 02, 2017 at 04:37:40PM +0000, Ard Biesheuvel wrote:
> Lookup table based AES is sensitive to timing attacks, which is due to
> the fact that such table lookups are data dependent, and the fact that
> 8 KB worth of tables covers a significant number of cachelines on any
> architecture, resulting in an exploitable correlation between the key
> and the processing time for known plaintexts.
> 
> For network facing algorithms such as CTR, CCM or GCM, this presents a
> security risk, which is why arch specific AES ports are typically time
> invariant, either through the use of special instructions, or by using
> SIMD algorithms that don't rely on table lookups.
> 
> For generic code, this is difficult to achieve without losing too much
> performance, but we can improve the situation significantly by switching
> to an implementation that only needs 256 bytes of table data (the actual
> S-box itself), which can be prefetched at the start of each block to
> eliminate data dependent latencies.
> 
> This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the
> ordinary generic AES driver manages 18 cycles per byte on this
> hardware). Decryption is substantially slower.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux