Fixslicing is a slightly different technique that is a little bit faster: <a href="https://eprint.iacr.org/2020/1123.pdf" rel="nofollow">https://eprint.iacr.org/2020/1123.pdf</a><p>Bitsliced/fixsliced AES remains painfully slow compared to lookup-based AES, but also to ciphers that can easily be implemented without side channels to start with.<p>So, my recommendation would be:<p>- Do you have hardware-accelerated, side-channels free AES? Go use it.<p>- Are side channels part of your threat model? Do you think they are practical in the context of your application? (for the vast majority of cases, the honest answer is: they aren't) If this is the case, do <i>NOT</i> use AES or anything that would require bitslicing/fixslicing to be safe. ChaCha20 is likely to perform way better on that platform. Not to mention more recent alternatives.<p>- They are not? For some reason, you still want to use AES? Use a table-based implementation and don't worry about it. Yes, this is fine.<p>Don't take it the wrong way. Bitslicing/fixslicing are excellent mitigation against side channels. But AES+bitslicing shouldn't be your go to choice.
Those of us interested in bitslicing may want to check out my – now 10 years old – pedagogical bitsliced implementation of the TEA block cipher.<p><a href="https://web.archive.org/web/20110813104823/http://plaintext.crypto.lo.gy/article/378/untwisted-bit-sliced-tea-time" rel="nofollow">https://web.archive.org/web/20110813104823/http://plaintext....</a><p>Code here: <a href="https://github.com/secYOUre/bstea" rel="nofollow">https://github.com/secYOUre/bstea</a>
Anyone know of equivalent bitsliced MAC/cryptographic hash algorithms (or resources describing how that might work)? Also, am I right in saying the implementations described in the article are effectively 'CPU only', i.e. no memory accesses are performed beyond the initial loading of the input data into registers and writing the final result?