diff options
| author | lloyd <[email protected]> | 2010-08-18 23:11:15 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2010-08-18 23:11:15 +0000 |
| commit | 34fe34b27e0b6a2799078879b4566707a8622e81 (patch) | |
| tree | 969e70f0d6ffa1c92c9db7a824ed8b3ed623ded7 /doc | |
| parent | 87c938f6289782cacfcb5170322716363bd31122 (diff) | |
In the first round of AES, use a 256 element table and do the
rotations in the code. This reduces the number of cache lines
potentially accessed in the first round from 64 to 16 (assuming 64
byte cache lines). On average, about 10 cache lines will actually be
accessed, assuming a uniform distribution of the inputs, so there
definitely is still a timing channel here, just a somewhat smaller
one.
I experimented with using the 256 element table for all rounds but it
reduced performance significantly and I'm not sure if the benefit is
worth the cost or not.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/log.txt | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/doc/log.txt b/doc/log.txt index f9092da21..7f7076a4b 100644 --- a/doc/log.txt +++ b/doc/log.txt @@ -1,6 +1,7 @@ * 1.9.11-dev, ????-??-?? - Switch default PKCS #8 encryption algorithm from AES-128 to AES-256 + - Use smaller tables in the first round of AES * 1.9.10, 2010-08-12 - Add a constant time AES implementation using SSSE3 |