Side-channel attacks possible against AES implementation

[aarant]

In line 64 of nescient.crypto.aes, the following line:

x[j] = SBOX[x[j]]

is potentially vulnerable to a side-channel attack based on cache timing, because the time to look up an element of the SBOX is not truly constant.

Potential fixes for this include:

• Forcing Nescient's AES implementation to access every element of the SBOX each time, slowing speed but mitigating this vulnerability.
• Switching to hardware or OS-based AES instructions/implementations which are secure against side-channel attacks.
• Adding an algorithm more resistant to timing attacks (i.e ChaCha), specifying it as a default, and warning the user that side-channel attacks are possible when using AES.