On Fri, Nov 26, 2010 at 9:57 AM, [email protected] <[email protected]> wrote: > ... > Or OpenSSL 1.0 which is immune
you should qualify such statements made about software mitigations on side channels, particularly cache timing. :) there are more than a few trivial protections in various implementations [not OpenSSL current, per se] that cover usual cache line side channels but leaky sieve in branch prediction cache or hyper-threading context. and what other esoteric / future cache timing attacks to be discovered? hardware implementations are (usually) preferable given the broad protection provided against entire class of data cache, branch prediction, and other CPU / host level cache timing attacks. as mentioned previously, this is probably the least of your concerns. usability improvement of low latency hw implementations is surely more effective rationale than risks of key compromise through local cache timing side channel... best regards, _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
