Document what we do in GCM a bit better [ci skip]

author: Jack Lloyd <[email protected]> 2018-06-21 20:22:59 -0400
committer: Jack Lloyd <[email protected]> 2018-06-21 20:22:59 -0400
commit: ed71932346613c533495369efa6a2b0668efac6f (patch)
tree: 2760236462053bb644bf58698c37168802fbf4eb
parent: e8cc1522ff854b592fd3b7f690f2717143848ea8 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst
index 459b21396..fa9861603 100644
--- a/doc/manual/side_channels.rst
+++ b/doc/manual/side_channels.rst
@@ -264,8 +264,11 @@ GCM
 On platforms that support a carryless multiply instruction (ARMv8 and recent x86),
 GCM is fast and constant time.
 
-On all other platforms, GCM uses a slow but constant time algorithm. There is
-also an SSSE3 variant of the same (still relatively slow) algorithm.
+On all other platforms, GCM uses an algorithm based on precomputing all powers
+of H from 1 to 128. Then for every bit of the input a mask is formed which
+allows conditionally adding that power without leaking information via a cache
+side channel. There is also an SSSE3 variant of this algorithm which is somewhat
+faster on processors which have SSSE3 but no AES-NI instructions.
 
 OCB
 -----------------------
author	Jack Lloyd <[email protected]>	2018-06-21 20:22:59 -0400
committer	Jack Lloyd <[email protected]>	2018-06-21 20:22:59 -0400
commit	ed71932346613c533495369efa6a2b0668efac6f (patch)
tree	2760236462053bb644bf58698c37168802fbf4eb
parent	e8cc1522ff854b592fd3b7f690f2717143848ea8 (diff)