John-Mark Gurney wrote this message on Wed, Jun 25, 2014 at 18:22 -0700: > Subj is more limited by your attack profile, than purely fast crypto.. > In some cases the crypto can be made reasonably fast while being > secure against side channel analysis, but in other cases (GHASH) it's > pretty much one (slow and secure) or the other (fast and insecure)... So, one point I somewhat forget in this is that the version of software AES in the kernel (that this new GHASH would go with) is vulnerable to side-channel attacks... So, we are already in the fast and less secure side of the equation.. There are lots of interesting optimizations that can made, including a version of AES that uses SSE registers, is constant time, and faster than the Sbox lookup version... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"