TRICL -- a timing attack resistant cryptographic library

My desire to write this library is based around two elements. First, there has been a long series of side channel attacks against cryptography, and no systematic attempt has been made to protect against such attacks. As a result, cryptographic libraries have spent the past decade in a cycle of "oops, a new attack has been discovered, we'd better fix that"; I don't like the idea of constantly chasing after problems, but would rather get things right the first time. Second, while working on my side channel attack against RSA on hyperthreaded systems, I was forced to read the large integer arithmetic code in OpenSSL; having significant experience in the area, I was rather less than impressed with the quality of the code, so I also had reason to want to develop a free replacement for OpenSSL.

I have established the following design principles for TRICL:

Whenever possible, routines should be immune to all known types of side channel attacks except those which require physical proximity to the hardware being attacked (e.g., power attacks). In particular, routines should avoid leaking any data to an attacker who can measure the time and location of every memory access performed.

those which require physical proximity to the hardware being attacked (e.g., power attacks). In particular, routines should avoid leaking any data to an attacker who can measure the time and location of every memory access performed. When complete immunity is not possible, the extent to which data is leaked must be clearly documented.

Any time that a novel or little known algorithm or theorem is relied upon, it should be proven or a reference should be given. Arguments do not necessarily have to be entirely polished, but they should be of a quality approaching that required of those in a journal article.

The library should compile in C99, although optimized assembly language implementations of some routines may be included.

Performance is less important than security.

I am currently looking for funding to allow me to work on this. If you or your company would like to make a contribution, please contact me.

Source file Postscript PDF Description local.h local_h.ps local_h.pdf Platform-specific definitions; at present, for gcc/FreeBSD only. roots.c roots_c.ps roots_c.pdf Code to compute double-precision roots of unity. For 2 <= n <= 29, the 2^n th roots of unity are computed in under 37/32 * 2^n FLOPS using a total of 512 bytes of precomputed tables, and the maximum absolute error is 1.5 * 2^(-53). roots.h roots_h.ps roots_h.pdf Header file for roots.c. fft.c fft_c.ps fft_c.pdf An in-place out-of-order split-radix recursive decimation-in-frequency FFT, based in part on ideas from djbfft. fft.h fft_h.ps fft_h.pdf Header file for fft.c. fftconv.c fftconv_c.ps fftconv_c.pdf Support code for performing convolutions using the FFT given in fft.c. The maximum absolute error in a single complex element of a length-2^n convolution computed using this code is less than |x| |y| (14.3 n + 2.3) eps, where |x| and |y| are the Euclidean norms of the input vectors and eps = 2^(-53). fftconv.h fftconv_h.ps fftconv_h.pdf Header file for fftconv.c.

You can also browse the CVS source tree.