From 70cf88f2308ac03a7ee064f43f1cc2f6fe9fa536 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 13 Apr 2017 17:46:51 -0400
Subject: [PATCH] Apply S-box timing attack counter measures to ARIA

The ARIA S-boxes could leak timining information. This commit applies the counter measures present in Rijndael and Camellia to ARIA. We take a penalty of about 0.05 to 0.1 cpb. It equates to about 0 MiB/s on an ARM device, and about 2 MiB/s on a modern Skylake.

We recently gained some performance though use of SSE and NEON in ProcessAndXorBlock, so the net result is an improvement.
---
 aria.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/aria.cpp b/aria.cpp
index 56b7b6d6..24865b8f 100644
--- a/aria.cpp
+++ b/aria.cpp
@@ -640,6 +640,20 @@ void ARIA::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, b
 	const byte *rk = reinterpret_cast<const byte*>(m_rk.data());
 	word32 *t = const_cast<word32*>(m_w.data()+20);
 
+	// Timing attack countermeasure. See comments in Rijndael for more details.
+	// We used Yun's 32-bit implementation, so we don't want to walk elements.
+	// In this case, we still want the byte oriented pointer to induce the flush.
+	const int cacheLineSize = GetCacheLineSize();
+	const byte *p = reinterpret_cast<const byte*>(S1);
+	unsigned int i;
+	volatile word32 _u = 0;
+	word32 u = _u;
+
+	for (i=0; i<256; i+=cacheLineSize)
+		u &= *(const word32 *)(void*)(p+i);
+	u &= *(const word32 *)(void*)(p+252);
+	t[0] |= u; t[1] |= u;
+
 #if CRYPTOPP_ENABLE_ARIA_SSSE3_INTRINSICS
 	if (HasSSSE3())
 	{