aes.cpp |
One of three AES implementation strategies are used to get a constant time
implementation which is immune to common cache/timing based side channels:
- If AES hardware support is available (AES-NI, POWER8, Aarch64) use that
- If 128-bit SIMD with byte shuffles are available (SSSE3, NEON, or Altivec),
use the vperm technique published by Mike Hamburg at CHES 2009.
- If no hardware or SIMD support, fall back to a constant time bitsliced
implementation. This uses 32-bit words resulting in 2 blocks being processed
in parallel. Moving to 4 blocks (with 64-bit words) would approximately
double performance on 64-bit CPUs. Likewise moving to 128 bit SIMD would
again approximately double performance vs 64-bit. However the assumption is
that most 64-bit CPUs either have hardware AES or SIMD shuffle support and
that the majority of users falling back to this code will be 32-bit cores.
If this assumption proves to be unsound, the bitsliced code can easily be
extended to operate on either 32 or 64 bit words depending on the native
wordsize of the target processor.
Useful references
- "Accelerating AES with Vector Permute Instructions" Mike Hamburg
https://www.shiftleft.org/papers/vector_aes/vector_aes.pdf
- "Faster and Timing-Attack Resistant AES-GCM" Käsper and Schwabe
https://eprint.iacr.org/2009/129.pdf
- "A new combinational logic minimization technique with applications to cryptology."
Boyar and Peralta https://eprint.iacr.org/2009/191.pdf
- "A depth-16 circuit for the AES S-box" Boyar and Peralta
https://eprint.iacr.org/2011/332.pdf
- "A Very Compact S-box for AES" Canright
https://www.iacr.org/archive/ches2005/032.pdf
https://core.ac.uk/download/pdf/36694529.pdf (extended)
|
27826 |
aes.h |
AES-128
|
4234 |
aes_armv8 |
|
|
aes_ni |
|
|
aes_power8 |
|
|
aes_vperm |
|
|
info.txt |
|
37 |