Skip to content

Commit b5e0b03

Browse files
Ard Biesheuvelherbertx
Ard Biesheuvel
authored and
herbertx
committed
crypto: aes - add generic time invariant AES cipher
Lookup table based AES is sensitive to timing attacks, which is due to the fact that such table lookups are data dependent, and the fact that 8 KB worth of tables covers a significant number of cachelines on any architecture, resulting in an exploitable correlation between the key and the processing time for known plaintexts. For network facing algorithms such as CTR, CCM or GCM, this presents a security risk, which is why arch specific AES ports are typically time invariant, either through the use of special instructions, or by using SIMD algorithms that don't rely on table lookups. For generic code, this is difficult to achieve without losing too much performance, but we can improve the situation significantly by switching to an implementation that only needs 256 bytes of table data (the actual S-box itself), which can be prefetched at the start of each block to eliminate data dependent latencies. This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the ordinary generic AES driver manages 18 cycles per byte on this hardware). Decryption is substantially slower. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1 parent ec38a93 commit b5e0b03

File tree

3 files changed

+393
-0
lines changed

3 files changed

+393
-0
lines changed

crypto/Kconfig

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -895,6 +895,23 @@ config CRYPTO_AES
895895

896896
See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
897897

898+
config CRYPTO_AES_TI
899+
tristate "Fixed time AES cipher"
900+
select CRYPTO_ALGAPI
901+
help
902+
This is a generic implementation of AES that attempts to eliminate
903+
data dependent latencies as much as possible without affecting
904+
performance too much. It is intended for use by the generic CCM
905+
and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
906+
solely on encryption (although decryption is supported as well, but
907+
with a more dramatic performance hit)
908+
909+
Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
910+
8 for decryption), this implementation only uses just two S-boxes of
911+
256 bytes each, and attempts to eliminate data dependent latencies by
912+
prefetching the entire table into the cache at the start of each
913+
block.
914+
898915
config CRYPTO_AES_586
899916
tristate "AES cipher algorithms (i586)"
900917
depends on (X86 || UML_X86) && !64BIT

crypto/Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,7 @@ obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o
9999
obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o
100100
obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o
101101
obj-$(CONFIG_CRYPTO_AES) += aes_generic.o
102+
obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o
102103
obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o
103104
obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o
104105
obj-$(CONFIG_CRYPTO_CAST5) += cast5_generic.o

0 commit comments

Comments
 (0)