Name Description Size
aes.cpp One of three AES implementation strategies are used to get a constant time implementation which is immune to common cache/timing based side channels: - If AES hardware support is available (AES-NI, POWER8, Aarch64) use that - If 128-bit SIMD with byte shuffles are available (SSSE3, NEON, or Altivec), use the vperm technique published by Mike Hamburg at CHES 2009. - If no hardware or SIMD support, fall back to a constant time bitsliced implementation. This uses 32-bit words resulting in 2 blocks being processed in parallel. Moving to 4 blocks (with 64-bit words) would approximately double performance on 64-bit CPUs. Likewise moving to 128 bit SIMD would again approximately double performance vs 64-bit. However the assumption is that most 64-bit CPUs either have hardware AES or SIMD shuffle support and that the majority of users falling back to this code will be 32-bit cores. If this assumption proves to be unsound, the bitsliced code can easily be extended to operate on either 32 or 64 bit words depending on the native wordsize of the target processor. Useful references - "Accelerating AES with Vector Permute Instructions" Mike Hamburg https://www.shiftleft.org/papers/vector_aes/vector_aes.pdf - "Faster and Timing-Attack Resistant AES-GCM" Käsper and Schwabe https://eprint.iacr.org/2009/129.pdf - "A new combinational logic minimization technique with applications to cryptology." Boyar and Peralta https://eprint.iacr.org/2009/191.pdf - "A depth-16 circuit for the AES S-box" Boyar and Peralta https://eprint.iacr.org/2011/332.pdf - "A Very Compact S-box for AES" Canright https://www.iacr.org/archive/ches2005/032.pdf https://core.ac.uk/download/pdf/36694529.pdf (extended) 27826
aes.h AES-128 4234
aes_armv8
aes_ni
aes_power8
aes_vperm
info.txt 37