fast or slow crypto?
John-Mark Gurney
jmg at funkthat.com
Sat Jun 28 11:10:39 UTC 2014
John-Mark Gurney wrote this message on Wed, Jun 25, 2014 at 18:22 -0700:
> Subj is more limited by your attack profile, than purely fast crypto..
> In some cases the crypto can be made reasonably fast while being
> secure against side channel analysis, but in other cases (GHASH) it's
> pretty much one (slow and secure) or the other (fast and insecure)...
So, one point I somewhat forget in this is that the version of software
AES in the kernel (that this new GHASH would go with) is vulnerable to
side-channel attacks... So, we are already in the fast and less secure
side of the equation..
There are lots of interesting optimizations that can made, including a
version of AES that uses SSE registers, is constant time, and faster
than the Sbox lookup version...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-security
mailing list