Re: Don't use S-boxes!

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 11/19/04 

Date: Fri, 19 Nov 2004 01:40:55 +0000 (UTC)

>The specific values of cycles-per-byte for the encryption function with
>a pre-expanded key increased from 375 to 750 cycles per byte on my
>reference implementations.

That counts as extremely slow -- so slow as to render this
implementation strategy pretty useless, most likely.

>I'm unable to duplicate the published attack, and frankly don't
>understand
>how the "simple cache-timing attack on AES" keeps the S-BOX values out
>of
>the cache for reload-timings during its run-after-run collections of
>cycle counts. Perhaps Professor Bernstein has not implemented
>something correctly, or has a hardware misconfiguration where the Level
>1 or Level 2 cache is turned-off. Has anyone been able to duplicate
>his result? I'll post sample code on my web site shortly.

Are you running on the same architecture as him? The attack might be
architecture-dependent. His paper includes some comments about the fact
that Athlon caches are 2-way associative. Caches on a Pentium might well
be organized differently, leading to different timing effects (I don't know).