vogelpi
commented
10 months ago FYI @jadephilipoom @johannheyszl
Open vogelpi opened 10 months ago
vogelpi
commented
10 months ago FYI @jadephilipoom @johannheyszl
jadephilipoom
commented
9 months ago Thanks Pirmin! Both of these changes seem like good ideas. I'll track them on the cryptolib milestone and assign myself for now (although I might not get to them immediately, so if anyone else wants to jump in feel free).
Description
When investigating a cryptotest failure for AES I had a brief look at the AES driver of the cryptolib and I noted the following things that should probably be changed:
The engine always loads 2x256 bits of key material into the cipher core (happens once per block). If half of the bits is 0 (for 128-bit keys) it maybe easier to extract key bits via profiling and SCA. Thus, it is preferred to fill with unused bits with randomness instead of 0. This is documented in the programmers guide of AES:
This function internally uses the
aes_update()function which itself follows the recommended procedure in the programmers guide of AES. However,otcrypto_aes()doesn't useaes_update()correctly. Namely, it should do// aes_update(NULL, input[0]); // aes_update(NULL, input[1]); // aes_update(output[0], input[2]); // aes_update(output[1], input[3]);
Instead of
// aes_update(NULL, input[0]); // aes_update(output[0], input[1]); // aes_update(output[1], input[2]);
i.e. input and output are offset by two rather than one.
With the former, the AES engine will process input[1] while software reads output[0] and provides input[2]. This gives the best peformance. With the latter (current implementation), software waits for output[0] to be ready, reads it, provides the new input[1] and then again waits for output[1]. Meaning always either software or the AES engine wait. But the two don't overlap their operations which is bad for SCA hardening and performance.