Rijndael. AES competition winner. More...

#include <rijndael.hpp>

Collaboration diagram for nil::crypto3::block::rijndael< KeyBits, BlockBits >:

Classes
struct	stream_processor

Public Types
typedef policy_type::block_type	block_type

typedef stream_endian::little_octet_big_bit	endian_type

typedef policy_type::key_type	key_type

typedef policy_type::round_constants_type	round_constants_type

typedef policy_type::word_type	word_type

Public Member Functions
block_type	decrypt (const block_type &plaintext) const

block_type	encrypt (const block_type &plaintext) const

	rijndael (const key_type &key)

virtual	~rijndael ()

Static Public Attributes
constexpr static const std::size_t	block_bits = policy_type::block_bits

constexpr static const std::size_t	block_words = policy_type::block_words

constexpr static const std::size_t	key_bits = policy_type::key_bits

constexpr static const std::size_t	key_words = policy_type::key_words

constexpr static const std::uint8_t	rounds = policy_type::rounds

constexpr static const std::size_t	word_bits = policy_type::word_bits

constexpr static const std::size_t	word_bytes = policy_type::word_bytes

Protected Attributes
key_schedule_type	decryption_key

key_schedule_type	encryption_key

Detailed Description

template<std::size_t KeyBits, std::size_t BlockBits>
class nil::crypto3::block::rijndael< KeyBits, BlockBits >

Rijndael. AES competition winner.

Generic Rijndael cipher implementation. Contains AES-standardized cipher modifications with timing-attack and cache-line leaking attack preventing mechanisms. Optimized for particular architecture used. AES-standartized version comes in three variants, AES-128, AES-192, and AES-256.

The standard 128-bit block cipher. Many modern platforms offer hardware acceleration. However, on platforms without hardware support, AES implementations typically are vulnerable to side channel attacks. For x86 systems with SSSE3 but without AES-NI, crypto3 has an implementation which avoids known side channels.

This implementation is intended to be based on table lookups which are known to be vulnerable to timing and cache based side channel attacks. Some countermeasures are used which may be helpful in some situations:

Only a single 256-word T-table is used, with rotations applied. Most implementations use 4 T-tables which leaks much more information via cache usage.
The TE and TD tables are computed at runtime to avoid flush+reload attacks using clflush. As different processes will not share the same underlying table data, an attacker can't manipulate another processes cache lines via their shared reference to the library read only segment.
Each cache line of the lookup tables is accessed at the beginning of each call to encrypt or decrypt. (See the Z variable below)

If available SSSE3 or AES-NI are used instead of this version, as both are faster and immune to side channel attacks.

Some AES cache timing papers for reference:

Software mitigations to hedge AES against cache-based software side channel vulnerabilities

Cache Games - Bringing Access-Based Cache Attacks on AES to Practice

Cache-Collision Timing Attacks Against AES. Bonneau, Mironov

Template Parameters

KeyBits	Key length used in bits. Available values are: 128, 192, 256
BlockBits	Block length used in bits. Available values are: 128, 192, 256