diff options
author | Legrandin <helderijs@gmail.com> | 2014-03-23 18:46:55 +0100 |
---|---|---|
committer | Dwayne Litzenberger <dlitz@dlitz.net> | 2014-06-22 23:38:31 -0700 |
commit | 947b554d85012cf35185ded38ef3484de010d2cf (patch) | |
tree | 8f1d16cc5a980d59dd7fadb70c1886009219ce5a /lib | |
parent | 0782d68840d0ebf850516e606e398b8a5396eb64 (diff) | |
download | pycrypto-947b554d85012cf35185ded38ef3484de010d2cf.tar.gz |
Make GHASH more robust against timing attacks.
In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.
If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.
This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).
This patch will reduce the overall performance.
This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Crypto/Cipher/blockalgo.py | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/lib/Crypto/Cipher/blockalgo.py b/lib/Crypto/Cipher/blockalgo.py index 84b9bc3..db45404 100644 --- a/lib/Crypto/Cipher/blockalgo.py +++ b/lib/Crypto/Cipher/blockalgo.py @@ -329,17 +329,14 @@ class _GHASH(_SmoothMAC): (x^128 + x^7 + x^2 + x + 1). """ - def __init__(self, hash_subkey, block_size, table_size='64K'): + def __init__(self, hash_subkey, block_size): _SmoothMAC.__init__(self, block_size, None, 0) - if table_size == '64K': - self._hash_subkey = galois._ghash_expand(hash_subkey) - else: - self._hash_subkey = hash_subkey + self._hash_subkey = galois._ghash_expand(hash_subkey) self._last_y = bchr(0) * 16 self._mac = galois._ghash def copy(self): - clone = _GHASH(self._hash_subkey, self._bs, table_size='0K') + clone = _GHASH(self._hash_subkey, self._bs) _SmoothMAC._deep_copy(self, clone) clone._last_y = self._last_y return clone @@ -436,7 +433,7 @@ class BlockAlgo: bchr(0) * fill + long_to_bytes(8 * len(self.nonce), 8)) - mac = _GHASH(hash_subkey, factory.block_size, '0K') + mac = _GHASH(hash_subkey, factory.block_size) mac.update(ghash_in) self._j0 = bytes_to_long(mac.digest()) @@ -446,7 +443,7 @@ class BlockAlgo: self._cipher = self._factory.new(key, MODE_CTR, counter=ctr) # Step 5 - Bootstrat GHASH - self._cipherMAC = _GHASH(hash_subkey, factory.block_size, '64K') + self._cipherMAC = _GHASH(hash_subkey, factory.block_size) # Step 6 - Prepare GCTR cipher for GMAC ctr = Counter.new(128, initial_value=self._j0, allow_wraparound=True) |