)]}' { "commit": "b3ac6bb39ad3f980dccae24dfacd97b6e3e57391", "tree": "dae189630ad5bae7961494590158ea2f4175be46", "parents": [ "cbae965ca03825d517efe98cf7b8812584cab4a0" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Sun Oct 20 10:53:17 2019 -0400" }, "committer": { "name": "CQ bot account: commit-bot@chromium.org", "email": "commit-bot@chromium.org", "time": "Fri Jan 03 16:41:59 2020 +0000" }, "message": "Replace aes_nohw with a bitsliced implementation.\n\naes_nohw is currently one of several variable-time table-based\nimplementations in C or assembly (armv4, x86, and x86_64). Replace all\nof these with a C bitsliced implementation, with 32-bit, 64-bit, and\n128-bit (SSE2) variants. This is based on the algorithms described in:\n\nhttps://bearssl.org/constanttime.html#aes\nhttps://eprint.iacr.org/2009/129.pdf\nhttps://eprint.iacr.org/2009/191.pdf\n\nThis makes our AES implementation constant-time in all build\nconfigurations!\n\nThere were far too many benchmarks to put in the commit message.\nInstead, please refer to this fancy spreadsheet:\nhttps://docs.google.com/spreadsheets/d/1wDCzfkPl7brfjWJKq55awQjwCPhOYI8O7zSQZuEc2Xg/edit?usp\u003dsharing\n\nParallel modes on x86 and x86_64 do fine due to the SSE2 code. AES-GCM\nactually gets faster. The 64-bit (4x) bitsliced implementation is less\neffective at speeding parallel modes but still helps. The 32-bit (2x)\nbitsliced implementation even less.\n\nNon-parallel modes, sadly, take a *dramatic* performance hit. I tried a\nconstant-time table lookup for comparison, but bitslicing was still\nbetter. This implementation performs comparably to the table in\nBearSSL\u0027s documentation, which suggests I didn\u0027t do anything obviously\nwrong. (Note BearSSL\u0027s table for \u0027ct\u0027 corresponds to a 32-bit bitsliced\nimplementation compiled for 64-bit. Compiling this implementation for\n64-bit matches, but compiling it for 32-bit seems to be considerably\nslower.)\n\nAssumptions that may make this palatable:\n\n- AES-GCM is by far the most important AES mode, and we perform okay\n with it. Modern things aren\u0027t built out of CBC.\n\n- A nontrivial chunk of Chrome users on Windows don\u0027t have SSSE3 and\n would be affected by this change. They would get the SSE2 version\n which performs well for AES-GCM *and* is constant-time.\n\n- ARM devices are primarily mobile which cycles hardware much faster.\n Chrome for Android has required NEON for several years now, so it\n would not run this code. (Aside from https://crbug.com/341598.)\n\n- aarch64 mandates NEON, so it would not run this code.\n\n- QUIC packet number encryption does use a one-off block operation, but\n only once per packet.\n\n- Arguably this is undoing a performance gain that we never earned. That\n said, it was a dramatic performance gain in places.\n\nAs an alternative, we could just check in the SSE2 version and drop the\nx86 and x86_64 table-based assembly, but this still leaves the generic\ncode with cache-timing side channels.\n\nChange-Id: I0f4b4467a49790509503c529d7c0940318096a00\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/39206\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "64febae41715bdac063078ba526f640d31c0d818", "old_mode": 33188, "old_path": "crypto/cipher_extra/e_aesgcmsiv.c", "new_id": "d7175723cf0bcf390c98322eb4d3fbeee1447e98", "new_mode": 33188, "new_path": "crypto/cipher_extra/e_aesgcmsiv.c" }, { "type": "modify", "old_id": "3081a41219144df834de9fcb893710929ae32ad8", "old_mode": 33188, "old_path": "crypto/fipsmodule/CMakeLists.txt", "new_id": "a675fbdd54a4dd308f431c8189a915c1ed45497e", "new_mode": 33188, "new_path": "crypto/fipsmodule/CMakeLists.txt" }, { "type": "modify", "old_id": "48d60eeb648a274c62d841ae939130902784a716", "old_mode": 33188, "old_path": "crypto/fipsmodule/aes/aes.c", "new_id": "f60281dfaf549b3467ed55edddd9ea577c890e1e", "new_mode": 33188, "new_path": "crypto/fipsmodule/aes/aes.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "e3e4e285aa0a917c4618cc2a1033e9e9d21c8749", "new_mode": 33188, "new_path": "crypto/fipsmodule/aes/aes_nohw.c" }, { "type": "modify", "old_id": "4c913d3ca687cc52425d3a38542016afb34e0d99", "old_mode": 33188, "old_path": "crypto/fipsmodule/aes/aes_test.cc", "new_id": "fd7ce24d24334bb9f9edd4291f8bccd9030e4f92", "new_mode": 33188, "new_path": "crypto/fipsmodule/aes/aes_test.cc" }, { "type": "delete", "old_id": "9b373de206433512734e5e44a053edaae7a25fd7", "old_mode": 33261, "old_path": "crypto/fipsmodule/aes/asm/aes-586.pl", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "delete", "old_id": "fbb199504e553307a1fe18980ce51fee2a49f3d7", "old_mode": 33188, "old_path": "crypto/fipsmodule/aes/asm/aes-armv4.pl", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "delete", "old_id": "5b95785e0bc398a933116c90d938045fc47cc52d", "old_mode": 33261, "old_path": "crypto/fipsmodule/aes/asm/aes-x86_64.pl", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "modify", "old_id": "99d509a98394a80e4a1e6a3aae509b36139b01cc", "old_mode": 33188, "old_path": "crypto/fipsmodule/aes/internal.h", "new_id": "5b806955032726ba30e9e3ee1d87ada370fea3ac", "new_mode": 33188, "new_path": "crypto/fipsmodule/aes/internal.h" }, { "type": "modify", "old_id": "ae8a91b1a6c535d39030ec1044a1e9faf2af1a04", "old_mode": 33188, "old_path": "crypto/fipsmodule/aes/mode_wrappers.c", "new_id": "206fcfd49ec640d8a4f395c99c0a9e1ecac8ef32", "new_mode": 33188, "new_path": "crypto/fipsmodule/aes/mode_wrappers.c" }, { "type": "modify", "old_id": "7485f6ccd928a31f2524b7183baa862cc3bfbf70", "old_mode": 33188, "old_path": "crypto/fipsmodule/bcm.c", "new_id": "567a0cdfa76d0e733d10be6104d5c3f10cdb7fce", "new_mode": 33188, "new_path": "crypto/fipsmodule/bcm.c" }, { "type": "modify", "old_id": "c6dd973a5aa2900a1bb7ccb2a73952f42d04d500", "old_mode": 33188, "old_path": "crypto/fipsmodule/cipher/e_aes.c", "new_id": "8f4907f3a4a12681ab449131f2fb2f65a7bef2ba", "new_mode": 33188, "new_path": "crypto/fipsmodule/cipher/e_aes.c" } ] }