Botan News

1.9.4 adds SSL/TLS, GOST 34.10, XSalsa20, fault countermeasures, SIMD optimizations

2010-03-09T15:58:00Z

Botan 1.9.4 has been released with a wide variety of changes.

Major new features include the merging of the previously standalone SSLv3/TLSv1.0 implementation Ajisai into the source, and the addition of the GOST 34.10-2001 ECC signature scheme and the XSalsa20 stream cipher. New SIMD implementations for the IDEA and Noekeon block ciphers dramatically improve performance on SSE2 processors, and the XTS and CBC block cipher modes now join CTR and ECB in making use of SIMD block cipher implementations.

The ECC code previously relied on TR1's shared_ptr, which made using it difficult on some platforms, particularly Windows. This code has been modified so that shared_ptr is no longer used, and ECDSA/ECDH are now built by default on Windows platforms.

The PK_Signer class now verifies all signatures before releasing them to the caller; this should help prevent a wide variety of fault attacks, though it does have the downside of hurting signature performance, particularly for DSA/ECDSA. Finding the right balance of performance and safety in these operations is an ongoing project.

A new configuration option, --gen-amalgamation, creates a pair of files (botan_all.cpp and botan_all.h) which contain the contents of the library as it would have normally been compiled based on the set configuration. This should ease the use of botan in projects which do not wish to depend on an external library.

Another build-related change is that many headers intended only for library-internal use are no longer installed.

Smaller changes include the addition of a password hashing scheme for user authentication needs, a SQLite encryption codec (contributed by Olivier de Gaalon), and a block cipher cascade construction.

1.9.3: Adding AES-NI and format preserving encryption

2009-11-20T03:59:00Z

Botan 1.9.3 was released this evening.

A new engine, aes_isa_eng, adds hooks for CPU-specific implementations of AES. Currently supported is an implementation for Intel's AES-NI; while no currently shipping CPU has support for AES-NI yet, the code was tested using Intel's SDE. The engine may be extended in the future to support VIA's PadLock instructions or other similar extensions.

An implementation of format-preserving encryption (FPE) was added. FPE allows for encrypting data in such a way that format constraints are retained. An example which uses this to encrypt credit card numbers with valid Luhn checksums to other credit card numbers with valid checksums is available.

An interface change in how X.509 certificates and PKCS #10 certificate requests are created now allows for using arbitrary hash functions; previously the use of SHA-1 was hardcoded, which is particularly undesirable given the currently known attacks on that algorithm.

The implementations of MARS, Skipjack, and AES were optimized to varying degrees.

The previous release added support for AltiVec but it was not enabled unless a macro was set by hand. Now it is set by default if the build is configured for a G4, G5, POWER6 or POWER7 processor (all of which include AltiVec in all known configurations). A similar mechanism sets macros indicating support for SSE2 and SSSE3 (though SSSE3 is not currently used in the codebase), and for AES-NI. Support for a particular ISA extension can also be enabled at build time by using the new --with-isa-extension option to configure.py.

The default build for Windows is now a DLL, mostly due to the much smaller size of the resulting binary. This is particularly important because this release also adds support for packaging botan using the InnoSetup Windows installer program. This should definitely be considered experimental, but seems to work. You can download an installer for 1.9.3 right now. Comments on the quality of the Windows installer or ways it could be improved would be heartily welcomed.

Botan 1.8.8 and 1.9.2

2009-11-03T19:14:00Z

Botan 1.8.8 and 1.9.2 were released this afternoon.

1.8.8 has only minor changes - the Skein-512 implementation was updated to the tweaked 1.2 specification, and a bug that prevented the use of the x86 bswap instruction was fixed.

1.9.2 extends the SIMD work done so far in the 1.9 series with a new type SIMD_32 which is a lightweight wrapper around SSE2 and AltiVec intrinsics (as well as a purely scalar version which will work anywhere). The idea is to provide a convenient syntax for SIMD operations that will compile down to code as efficient as normal intrinsics code.

The existing SSE2 Serpent code was modified to use this new type with great success on the SSE2 side. However some oddities remain in the AltiVec; for some reason GCC refuses to inline a particular constructor, which causes a great deal of overhead. At the moment, it actually appears to be faster to use the scalar implementation instead of AltiVec or the regular C++ on both a G4 and G5 running Linux! While a great testament to the superscalar power of these processors, it hints that AltiVec unfettered by strange inlining problems would be even faster.

Partially unrolling the message expansion loop in SHA-1 and SHA-2 produced small but measurable speedups (around 5 to 10% on a Core2).

Comments Enabled

2009-10-29T13:59:00Z

The site has joined the 20th century and it is now possible to leave comments on news items. Spam filtering on comments is provided by Akismet; I've been using Akismet for comments for a while on bitbashing, so far so good.

1.9.1: Blue Midnight Wish, Skein 1.2, improved Python wrappers, and more

2009-10-23T14:25:00Z

Botan 1.9.1 was released today with a slew of new features.

An implementation of the SHA-3 candidate hash function Blue Midnight Wish has been added. Blue Midnight Wish is one of the fastest functions of the round 2 candidates, processing well over 300 MB per second on a Core2 processor; it runs about as fast as OpenSSL's assembly implementation of SHA-1. The version in 1.9.1 is the 'tweaked' round 2 variant; as part of the NIST competition, at the start of the second round all designers had a chance to make modifications to their algorithms before the next phase of analysis begins. Only the 512-bit variant of Blue Midnight Wish is included, because it is much faster than the 256-bit version on modern processors (and, presumably, is more secure).

Another NIST round 2 tweak is for the implementation of Skein-512 - the designers of Skein used a new search technique and found a new set of rotation constants leading to much better diffusion in the algorithm. These new rotation constants are now being used.

The wrappers for other languages, especially Python, are greatly improved. Documentation is currently sparse, but to build the wrappers, use

  $ ./configure.py --use-boost-python [other configure.py options]
  $ make check
     # normal library build
  $ make -f Makefile.python
     # builds _botan.so in build/botan-python
  $ make -f Makefile.python install
     # installs botan module into python site-packages

Boost.Python is required to build the Python wrappers. Some examples of use can be found in doc/python.

An implementation of threshold secret sharing has been added, going off the recent internet draft draft-mcgrew-tss-02.txt ("Threshold Secret Sharing", David A. McGrew, Praveen Patnala, Alfred Hoenes).

Runtime CPU detection is now used on x86/x86-64 processors; currently it is only used to check for the availability of SSE2 but other uses may be added in the future (for instance, checking for the existence of Intel's forthcoming AES-NI instructions). Additionally, use of SSE2 implementations is now enabled under Visual C++ as well as GNU C++ and Intel C++.

XTEA was optimized, and is over twice as fast on an Intel Core2 or AMD Opteron.