[dm-crypt] [dm-devel] dm-crypt performance
corsac at debian.org
Sun Apr 21 22:38:36 CEST 2013
On mar., 2013-04-09 at 20:40 +0200, Arno Wagner wrote:
> > AES uses data-dependent lookup tables, on CPU with hyperthreding, the
> > second thread can observe L1 cache footprint done by the first thread and
> > get some information about data being encrypted...
> Yes, but that is not the only potential problem. For example, with
> Intel now implementing voltage regulators on the CPU, we may
> even see power-usage based leaks. If you are paranoid, constant
> time-contant-power implementations are the only solution. And
> while feasible, they are sloooooooowwwwww...
Note that on those CPUs AES should usually use AES-NI so timing attacks
using the cache should not be that relevant…
More information about the dm-crypt