John-Mark Gurney wrote this message on Wed, Jun 25, 2014 at 18:22 -0700:
> Subj is more limited by your attack profile, than purely fast crypto..
> In some cases the crypto can be made reasonably fast while being
> secure against side channel analysis, but in other cases (GHASH) it's
> pretty much one (slow and secure) or the other (fast and insecure)...
So, one point I somewhat forget in this is that the version of software
AES in the kernel (that this new GHASH would go with) is vulnerable to
side-channel attacks... So, we are already in the fast and less secure
side of the equation..
There are lots of interesting optimizations that can made, including a
version of AES that uses SSE registers, is constant time, and faster
than the Sbox lookup version...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
