Re: Don't use S-boxes!
Date: 18 Nov 2004 15:59:31 -0800
"David Wagner" <email@example.com> wrote in message
> karl malbrain wrote:
> >The issue is a version of AES that can be implemented that
> >timing attacks.
> That's trivial to achieve. The real issue is whether it is possible
> to implement AES in a way that withstands timing attacks *and* is
> efficient, where "relatively efficient" means "not too much slower
> best existing (non-constant-time) AES implementations".
> Comparing to a very slow existing non-constant-time implementation is
> not interesting. You have to compare to the best existing
> to get a meaningful comparison -- or, you have to report absolute
> numbers in some accepted metric (e.g., cycles/byte).
The specific values of cycles-per-byte for the encryption function with
a pre-expanded key increased from 375 to 750 cycles per byte on my
reference implementations. While I believe from assembly code
inspection the code has a constant length with process only jumps and
running through the entire s-box table 8 times per byte-transform, the
resultant cycles per byte timings are not constant for some unknown
Meanwhile, I'm having a major problem.
I'm unable to duplicate the published attack, and frankly don't
how the "simple cache-timing attack on AES" keeps the S-BOX values out
the cache for reload-timings during its run-after-run collections of
cycle counts. Perhaps Professor Bernstein has not implemented
something correctly, or has a hardware misconfiguration where the Level
1 or Level 2 cache is turned-off. Has anyone been able to duplicate
his result? I'll post sample code on my web site shortly.
Thanks, Karl m