Re: Don't use S-boxes!
From: Erwann ABALEA (erwann_at_abalea.com)
Date: 11/13/04
- Next message: David Wagner: "Re: Don't use S-boxes!"
- Previous message: David Wagner: "Re: COMP128 Test Vector"
- In reply to: Randy Howard: "Re: Don't use S-boxes!"
- Next in thread: D. J. Bernstein: "Re: Don't use S-boxes!"
- Reply: D. J. Bernstein: "Re: Don't use S-boxes!"
- Reply: karl_m_at_acm.org: "Re: Don't use S-boxes!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Nov 2004 18:03:39 +0100
On Sat, 13 Nov 2004, Randy Howard wrote:
> In article <slrncp7p1b.105t.usenet@stoneport.math.uic.edu>, djb@cr.yp.to
> says...
> > BRG wrote:
> > > If I am reading this correctly, his claim is not that AES is insecure
> > > but rather that particular _implementations_ of AES might be insecure
> > > because they might leak key bits when subject to timing attacks.
> >
> > More than that: I'm saying that _typical_ software implementations of
> > AES _do_ leak key bits to the simplest conceivable timing attack. The
> > underlying problem is that it's hard to do an S-box lookup in constant
> > time on modern CPUs.
>
> Is there any impact on this approach working on systems with more than
> one processor (SMP or dual core) or with "virtual CPUs" (hyperthreading)
> as opposed to a conventional UP system? How about the effects of other
> application loads on a multitasking system impacting the results?
I ran the time.c program along with the 6 AES implementations present in
aesbench.tgz (devine, gladman, mks, openssl, gpg, tom), on several
machines, one of them is a dual Celeron 560. Patterns also appear on this
machine.
The "worst" case was the "devine" implementation on a Pentium III. 50% of
the key bytes showed a repetitive pattern.
-- Erwann ABALEA <erwann@abalea.com> - RSA PGP Key ID: 0x2D0EABD5 ----- ED> >:) T'utilise des rires enregistrés (c)... T'es *vraiment* un dinosaure? J'ai un doute... -+-RG: Guide du Neueu Usenet-La prudence est le début de la sagesse-+-
- Next message: David Wagner: "Re: Don't use S-boxes!"
- Previous message: David Wagner: "Re: COMP128 Test Vector"
- In reply to: Randy Howard: "Re: Don't use S-boxes!"
- Next in thread: D. J. Bernstein: "Re: Don't use S-boxes!"
- Reply: D. J. Bernstein: "Re: Don't use S-boxes!"
- Reply: karl_m_at_acm.org: "Re: Don't use S-boxes!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
