Re: Don't use S-boxes!
From: Erwann ABALEA (erwann_at_abalea.com)
Date: Sat, 13 Nov 2004 18:03:39 +0100
On Sat, 13 Nov 2004, Randy Howard wrote:
> In article <email@example.com>, firstname.lastname@example.org
> > BRG wrote:
> > > If I am reading this correctly, his claim is not that AES is insecure
> > > but rather that particular _implementations_ of AES might be insecure
> > > because they might leak key bits when subject to timing attacks.
> > More than that: I'm saying that _typical_ software implementations of
> > AES _do_ leak key bits to the simplest conceivable timing attack. The
> > underlying problem is that it's hard to do an S-box lookup in constant
> > time on modern CPUs.
> Is there any impact on this approach working on systems with more than
> one processor (SMP or dual core) or with "virtual CPUs" (hyperthreading)
> as opposed to a conventional UP system? How about the effects of other
> application loads on a multitasking system impacting the results?
I ran the time.c program along with the 6 AES implementations present in
aesbench.tgz (devine, gladman, mks, openssl, gpg, tom), on several
machines, one of them is a dual Celeron 560. Patterns also appear on this
The "worst" case was the "devine" implementation on a Pentium III. 50% of
the key bytes showed a repetitive pattern.
-- Erwann ABALEA <email@example.com> - RSA PGP Key ID: 0x2D0EABD5 ----- ED> >:) T'utilise des rires enregistrés (c)... T'es *vraiment* un dinosaure? J'ai un doute... -+-RG: Guide du Neueu Usenet-La prudence est le début de la sagesse-+-