Terje Elde wrote: > Possibly, not probably. Depends on the leak really. For timing-attacks for > example, susceptibility would depend not only on the algorithm, but the > specific implementation of it.
Sure. I wasn't really thinking about timing attacks but rather emission security, differential power analysis etc. - for timing attacks modern implementations have constant time code for most ciphers (especially well audited for AES and it's various block-cipher modes). Can't say the same thing for other ciphers, some are intentionally constant-time (e.g. ChaCha20/Poly1305). Take OpenSSL for example; while you'll regularly see performance and security improvements with their optimized assembly, you won't see a lot of change w.r.t. CAMELLIA: 3-5 year old code (1.0.1p branch): https://github.com/openssl/openssl/tree/OpenSSL_1_0_1p/crypto/camellia/asm last updated a year ago (1.0.1p branch): https://github.com/openssl/openssl/tree/OpenSSL_1_0_1p/crypto/aes/asm You might also notice the lacking platform support for non-x86. > > If there’s ever an attack against hardware-implementations in a CPU (AESNI, > similar from AMD etc), it’s very unlikely that it’d affect anything but AES, > especially given that it’s typically the only symmetric block cipher that’s > catered for. > That would likely affect GCM in general. More details on AESNI: https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
