On Wed, 2010-04-07 at 16:00 -0400, Victor Duchovni wrote: > Can someone confirm that what we are seeing is a work-around for DJB's > cache timing attack on AES? If so, I would guess that the timing attack > is believed to be impractical for large blocks, so the fast path is used > only for sufficiently large inputs...
You seem to be right. The 32-bit version is better documented... http://git.infradead.org/users/dwmw2/openssl-parsecvs.git/commitdiff/89be25a2 ...The current size limit of +# 512 bytes is chosen to provide same [diminishigly low] probability +# for cache-line to remain untouched in large chunk operation with +# large S-box as for single block operation with compact S-box and +# surely needs more careful consideration... -- dwmw2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
