[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Aaron Zauner azet at azet.org
Mon Nov 9 14:46:00 CET 2015

Terje Elde wrote:
> Possibly, not probably.  Depends on the leak really.  For timing-attacks for example, susceptibility would depend not only on the algorithm, but the specific implementation of it.

Sure. I wasn't really thinking about timing attacks but rather emission
security, differential power analysis etc. - for timing attacks modern
implementations have constant time code for most ciphers (especially
well audited for AES and it's various block-cipher modes). Can't say the
same thing for other ciphers, some are intentionally constant-time (e.g.

Take OpenSSL for example; while you'll regularly see performance and
security improvements with their optimized assembly, you won't see a lot
of change w.r.t. CAMELLIA:

3-5 year old code (1.0.1p branch):

last updated a year ago (1.0.1p branch):

You might also notice the lacking platform support for non-x86.

> If there’s ever an attack against hardware-implementations in a CPU (AESNI, similar from AMD etc), it’s very unlikely that it’d affect anything but AES, especially given that it’s typically the only symmetric block cipher that’s catered for.

That would likely affect GCM in general. More details on AESNI:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151109/8c9769e5/attachment.sig>

More information about the Ach mailing list