Expand description
AES (FIPS 197) block cipher — single-block API.
Supports 128-bit, 192-bit, and 256-bit keys with 10, 12, and 14
rounds respectively. Modes (ECB / CBC / CTR / GCM / CCM / XTS)
live in super::modes, super::ccm, super::xts; the
streaming wrapper lives in super::ctx.
§⚠ Side-channel posture (evaluation-critical gap)
This module is the single largest open SCA gap on the
classical side. Roadmap entries
(arcana/doc/sca/countermeasures/aes.rst):
| Threat | Status | Roadmap item |
|---|---|---|
| SPA / SEMA on key schedule + S-box | vulnerable | T1-A — port fixsliced AES (Adomnicai-Peyrin TCHES 2021/1) |
| Cache-timing on shared L1 / L2 | vulnerable | Same T1-A. AES-NI / VAES is host-only (T5) |
| DPA / CPA on round-1 SubBytes | vulnerable | T2-G — first-order Boolean masking on top of fixsliced AES |
| Template attacks (incl. ML-DPA) | vulnerable | T2-G. ANSSI’s protected AES was broken end-to-end by ML-DPA in 2023 |
| DFA on last AES round | vulnerable | T4-AES-A — redundancy + infective countermeasure (deferred) |
§Cache-timing leak — concrete model
The SBOX array below is a 256-byte LUT. The first round of
AES indexes 16 bytes of state[i] ^ K[i]; observing which
cache lines (4 lines × 64 B = 256 B) are accessed reveals the
high bits of each byte of state[i] ^ K[i]. Combined T-table
implementations (which fold ShiftRows + MixColumns into 4 KiB
of pre-computed tables) leak more. References:
bernstein2005_aes_cache_timing, osvik2006cache_aes.
Until T1-A lands, this implementation must not be used in
deployments where a co-resident or near-shared-cache attacker
is in scope — shared hosting, multi-VM tenants, or any
bare-metal target with shared L1 between cryptographic and
untrusted code.