diff options
| author | Jeffrey Walton <noloader@gmail.com> | 2017-04-13 17:46:51 -0400 |
|---|---|---|
| committer | Jeffrey Walton <noloader@gmail.com> | 2017-04-13 17:46:51 -0400 |
| commit | 70cf88f2308ac03a7ee064f43f1cc2f6fe9fa536 (patch) | |
| tree | 7b85c4dafae2e223a0bd0effa0839604e5727a4e /aria.cpp | |
| parent | 65c3c63b521bdda5b08f28830ac677b35800f6bf (diff) | |
| download | cryptopp-git-70cf88f2308ac03a7ee064f43f1cc2f6fe9fa536.tar.gz | |
Apply S-box timing attack counter measures to ARIA
The ARIA S-boxes could leak timining information. This commit applies the counter measures present in Rijndael and Camellia to ARIA. We take a penalty of about 0.05 to 0.1 cpb. It equates to about 0 MiB/s on an ARM device, and about 2 MiB/s on a modern Skylake.
We recently gained some performance though use of SSE and NEON in ProcessAndXorBlock, so the net result is an improvement.
Diffstat (limited to 'aria.cpp')
| -rw-r--r-- | aria.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -640,6 +640,20 @@ void ARIA::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, b const byte *rk = reinterpret_cast<const byte*>(m_rk.data());
word32 *t = const_cast<word32*>(m_w.data()+20);
+ // Timing attack countermeasure. See comments in Rijndael for more details.
+ // We used Yun's 32-bit implementation, so we don't want to walk elements.
+ // In this case, we still want the byte oriented pointer to induce the flush.
+ const int cacheLineSize = GetCacheLineSize();
+ const byte *p = reinterpret_cast<const byte*>(S1);
+ unsigned int i;
+ volatile word32 _u = 0;
+ word32 u = _u;
+
+ for (i=0; i<256; i+=cacheLineSize)
+ u &= *(const word32 *)(void*)(p+i);
+ u &= *(const word32 *)(void*)(p+252);
+ t[0] |= u; t[1] |= u;
+
#if CRYPTOPP_ENABLE_ARIA_SSSE3_INTRINSICS
if (HasSSSE3())
{
|