On 10 October 2014 02:39, Damien Miller <d...@mindrot.org> wrote: > On Thu, 9 Oct 2014, Christian Weisgerber wrote: > >> John-Mark Gurney: >> >> > I also have an implementation of ghash that does a 4 bit lookup table >> > version with the table split between cache lines in p4 at: >> > https://p4db.freebsd.org/fileViewer.cgi?FSPC=//depot/projects/opencrypto/sys/opencrypto/gfmult.c&REV=4 >> > >> > This also has a version with does 4 blocks at a time getting a >> > further speed up... >> >> FWIW, I did a quick & dirty merge of this into the OpenBSD tree and >> the speed of my test (net6501-50, tcpbench -u over esp aes-128-gmac) >> almost doubled. > > isn't this likely to make it more likely to be subject to timing > attacks? >
then how is this different to our table based aes implementation? and it's the same C code as in openssl which also uses table based gcm implementation. what countermeasures can be applied to the table lookup code to fight these attacks?
