On Wed, 12 Nov 2014, Mike Belopuhov wrote: > > isn't this likely to make it more likely to be subject to timing > > attacks? > > > > then how is this different to our table based aes implementation? > and it's the same C code as in openssl which also uses table based > gcm implementation.
Yeah, that's crappy too - IMO we should definitely look at replacing it, but I haven't found an implementation that is a) native C, b) doesn't use FP/SSE tricksies and c) is acceptably fast. OpenSSL only falls back to the table-based code if none of the assembler versions are selected for the platform. AFAIK many of these are constant time. > what countermeasures can be applied to the table lookup code > to fight these attacks? It's possible to do dummy accesses, but these do slow things down and many have been broken anyway. -d