[sdevlin]

Building around S-box lookups also seems like a weird choice in 2015. I looked and couldn't find any considerations for cache-timing side channels. There really wasn't much advice for implementers at all.

I'm not sure this is a major vulnerability in practice, but it is strange not even to mention 10+ years of cache-timing attacks against AES.

[pbsd]

Kalyna was the result of a public competition started in 2006 [1], so it mirrors design preferences of that time. There were 4 other candidates, some were broken, and none of them seem any more cache-timing resistant than Kalyna.

[1] https://www.sav.sk/journals/uploads/0317154006ogdr.pdf

[sdevlin]

Interesting notes, I didn't realize the competition was so old. Thanks!