[dm-devel] dm-crypt performance

Mikulas Patocka mpatocka at redhat.com
Tue Apr 9 18:08:59 UTC 2013



On Tue, 26 Mar 2013, Milan Broz wrote:

> - Are we sure we are not inroducing some another side channel in disc
> encryption? (Unprivileged user can measure timing here).
> (Perhaps stupid reason but please do not prefer performance to security
> in encryption. Enough we have timing attacks for AES implementations...)

So use serpent - it is implemented without any data-dependent lookup 
tables, so it has no timing attacks.

AES uses data-dependent lookup tables, on CPU with hyperthreding, the 
second thread can observe L1 cache footprint done by the first thread and 
get some information about data being encrypted...

Mikulas




More information about the dm-devel mailing list