Date: Sat, 28 Jun 2014 04:10:37 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: freebsd-security@FreeBSD.org Subject: Re: fast or slow crypto? Message-ID: <20140628111037.GJ1560@funkthat.com> In-Reply-To: <20140626012226.GX1560@funkthat.com> References: <20140626012226.GX1560@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney wrote this message on Wed, Jun 25, 2014 at 18:22 -0700:
> Subj is more limited by your attack profile, than purely fast crypto..
> In some cases the crypto can be made reasonably fast while being
> secure against side channel analysis, but in other cases (GHASH) it's
> pretty much one (slow and secure) or the other (fast and insecure)...
So, one point I somewhat forget in this is that the version of software
AES in the kernel (that this new GHASH would go with) is vulnerable to
side-channel attacks... So, we are already in the fast and less secure
side of the equation..
There are lots of interesting optimizations that can made, including a
version of AES that uses SSE registers, is constant time, and faster
than the Sbox lookup version...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140628111037.GJ1560>