[dm-crypt] [dm-devel] dm-crypt performance

Yves-Alexis Perez corsac at debian.org
Sun Apr 21 22:38:36 CEST 2013


On mar., 2013-04-09 at 20:40 +0200, Arno Wagner wrote:
> > AES uses data-dependent lookup tables, on CPU with hyperthreding, the 
> > second thread can observe L1 cache footprint done by the first thread and 
> > get some information about data being encrypted...
> 
> Yes, but that is not the only potential problem. For example, with 
> Intel now implementing voltage regulators on the CPU, we may
> even see power-usage based leaks. If you are paranoid, constant
> time-contant-power implementations are the only solution. And 
> while feasible, they are sloooooooowwwwww... 

Note that on those CPUs AES should usually use AES-NI so timing attacks
using the cache should not be that relevant…

Regards,
-- 
Yves-Alexis


More information about the dm-crypt mailing list