TRICL -- a timing attack resistant cryptographic library

Tricl (pronounced "treacle") is my idea for a new cryptographic library, designed from the ground up to be resistant to all possible timing attacks (both known and yet to be discovered) by relying upon oblivious algorithms whenever possible. The name is an acronym for "timing resistance inspired cryptographic library".

My desire to write this library is based around two elements. First, there has been a long series of side channel attacks against cryptography, and no systematic attempt has been made to protect against such attacks. As a result, cryptographic libraries have spent the past decade in a cycle of "oops, a new attack has been discovered, we'd better fix that"; I don't like the idea of constantly chasing after problems, but would rather get things right the first time. Second, while working on my side channel attack against RSA on hyperthreaded systems, I was forced to read the large integer arithmetic code in OpenSSL; having significant experience in the area, I was rather less than impressed with the quality of the code, so I also had reason to want to develop a free replacement for OpenSSL.

I have established the following design principles for TRICL:

I am currently looking for funding to allow me to work on this. If you or your company would like to make a contribution, please contact me.

The following files have been released so far:
Source file Postscript PDF Description
local.h local_h.pdf Platform-specific definitions; at present, for gcc/FreeBSD only.
roots.c roots_c.pdf Code to compute double-precision roots of unity. For 2 <= n <= 29, the 2^n th roots of unity are computed in under 37/32 * 2^n FLOPS using a total of 512 bytes of precomputed tables, and the maximum absolute error is 1.5 * 2^(-53).
roots.h roots_h.pdf Header file for roots.c.
fft.c fft_c.pdf An in-place out-of-order split-radix recursive decimation-in-frequency FFT, based in part on ideas from djbfft.
fft.h fft_h.pdf Header file for fft.c.
fftconv.c fftconv_c.pdf Support code for performing convolutions using the FFT given in fft.c. The maximum absolute error in a single complex element of a length-2^n convolution computed using this code is less than |x| |y| (14.3 n + 2.3) eps, where |x| and |y| are the Euclidean norms of the input vectors and eps = 2^(-53).
fftconv.h fftconv_h.pdf Header file for fftconv.c.

You can also browse the CVS source tree.