Expand description
Block cipher modes of operation: ECB, CBC, CTR, GCM (NIST SP 800-38A and SP 800-38D for GCM).
These modes are generic over any type implementing
BlockCipher. GCM is restricted to 128-bit block ciphers
(i.e., AES).
§Side-channel posture
- Tag verification on GCM decrypt uses
silentops::ct_eq(constant-time, no early exit on first differing byte). - GHASH multiplier (
gf128_mul) is the SCA target on GCM: the carry-less multiplication overGF(2^128)is implemented in software and may leak through cache-line / shift patterns. Roadmap itemT2-H(seearcana/doc/sca/countermeasures/aes.rst): replace with a CT carry-less multiplier on host (PCLMULQDQ / PMULL backend) and a bitsliced fallback on embedded. - The underlying AES inherits all the cache-timing surface
documented in
super::aes(roadmap itemT1-A). Until that ships, every GCM / CCM / CBC / CTR call leaks the AES key on a co-resident attacker.
Structs§
- Gcm
- GCM (Galois/Counter Mode) for 128-bit block ciphers (i.e., AES).
Functions§
- cbc_
decrypt - Decrypt data in CBC mode.
- cbc_
encrypt - Encrypt data in CBC mode.
- ctr_
encrypt - Encrypt (or decrypt) data in CTR mode.
- ecb_
decrypt - Decrypt data in ECB mode.
- ecb_
encrypt - Encrypt data in ECB mode (each block encrypted independently).