Apply S-box timing attack counter measures to ARIA

The ARIA S-boxes could leak timining information. This commit applies the counter measures present in Rijndael and Camellia to ARIA. We take a penalty of about 0.05 to 0.1 cpb. It equates to about 0 MiB/s on an ARM device, and about 2 MiB/s on a modern Skylake. We recently gained some performance though use of SSE and NEON in ProcessAndXorBlock, so the net result is an improvement.
2024-11-23 09:59:42 +00:00 · 2017-04-13 17:46:51 -04:00 · 2017-04-13 17:46:51 -04:00 · 70cf88f230
commit 70cf88f230
parent 65c3c63b52
1 changed files with 14 additions and 0 deletions
--- a/aria.cpp
+++ b/aria.cpp
@ -640,6 +640,20 @@ void ARIA::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, b
 	const byte *rk = reinterpret_cast<const byte*>(m_rk.data());
 	word32 *t = const_cast<word32*>(m_w.data()+20);

+	// Timing attack countermeasure. See comments in Rijndael for more details.
+	// We used Yun's 32-bit implementation, so we don't want to walk elements.
+	// In this case, we still want the byte oriented pointer to induce the flush.
+	const int cacheLineSize = GetCacheLineSize();
+	const byte *p = reinterpret_cast<const byte*>(S1);
+	unsigned int i;
+	volatile word32 _u = 0;
+	word32 u = _u;
+
+	for (i=0; i<256; i+=cacheLineSize)
+		u &= *(const word32 *)(void*)(p+i);
+	u &= *(const word32 *)(void*)(p+252);
+	t[0] |= u; t[1] |= u;
+
 #if CRYPTOPP_ENABLE_ARIA_SSSE3_INTRINSICS
 	if (HasSSSE3())
 	{