diff options
author | Niels Möller <nisse@lysator.liu.se> | 2023-05-07 15:30:40 +0200 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2023-05-07 15:30:40 +0200 |
commit | 7e288a978e60cf616d3f41413899e2c9d52624c6 (patch) | |
tree | 008482201dd1020d2a7c74166132eb190340b167 | |
parent | 332ad2bd2b3da1dd35ed3e8939c7b9730bc0c8eb (diff) | |
download | nettle-7e288a978e60cf616d3f41413899e2c9d52624c6.tar.gz |
NEWS entries for Nettle-3.9.
-rw-r--r-- | NEWS | 75 |
1 files changed, 75 insertions, 0 deletions
@@ -1,3 +1,78 @@ +NEWS for the Nettle 3.9 release + + This release includes bug fixes, several new features, a few + performance improvements, and one performance regression + affecting GCM on certain platforms. + + Nettle's implementation of GHASH, the authentication mechanism + used for GCM, dates from 2011, and has used data-dependent + table lookups for performance. Those lookups imply a potential + side-channel leak. More recent assembly implementations of + GHASH that use the carry-less multiplication instruction, + available on certain platforms, don't suffer from this + problem. + + This release includes a rewrite of the C implementation of + GHASH as well as the plain x86_64 assembly version to use + precomputed tables in a different way, with tables always + accessed in the same sequential manner. + + This should make Nettle's GHASH implementation side-channel + silent on all platforms, but considerably slower on platforms + without carry-less mul instructions. E.g., benchmarks of the C + implementation on x86_64 showed a slowdown of 3 times. + + Bug fixes: + + * Fix bug in ecdsa and gostdsa signature verify operation, for + the unlikely corner case that point addition really is point + duplication. + + * Fix for chacha on Power7, nettle's assembly used an + instruction only available on later processors. Fixed by + Mamone Tarsha. + + * GHASH implementation should now be side-channel silent on + all architectures. + + * A few other portability fixes for *BSD. + + New features: + + * Support for the SM4 block cipher, contributed by Tianjia + Zhang. + + * Support for the Balloon password hash, contributed by Zoltan + Fridrich. + + * Support for SIV-GCM authenticated encryption mode, + contributed by Daiki Ueno. + + * Support for OCB authenticated encryption mode. + + * New exported functions md5_compress, sha1_compress, + sha256_compress, sha512_compress, based on patches from + Corentin Labbe. + + Optimizations: + + * Improved sha256 performance, in particular for x86_64 and + s390x. + + * Use GMP's mpn_sec_tabselect, which is implemented in + assembly on many platforms, and delete the similar nettle + function. Gives a modest speedup to all ecc operations. + + * Faster poly1305 for x86_64 and ppc64. New ppc code + contributed by Mamone Tarsha. + + Miscellaneous: + + * New ASM_FLAGS variable recognized by configure. + + * Delete all arcfour assembly code. Affects 32-bit x86, 32-bit + and 64-bit sparc. + NEWS for the Nettle 3.8.1 release This is a bugfix release, fixing a few portability issues |