Re: Don't use S-boxes!
From: D. J. Bernstein (djb_at_cr.yp.to)
Date: 11/21/04
- Next message: D. J. Bernstein: "Re: Don't use S-boxes!"
- Previous message: D. J. Bernstein: "Re: Don't use S-boxes!"
- In reply to: karl_m_at_acm.org: "Re: Don't use S-boxes!"
- Next in thread: karl malbrain: "Re: Don't use S-boxes!"
- Reply: karl malbrain: "Re: Don't use S-boxes!"
- Reply: karl_m_at_acm.org: "Re: Don't use S-boxes!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Nov 2004 03:06:20 +0000 (UTC)
karl_m@acm.org wrote:
> There seems to be some difference of opinion as to the difficulty of
> obtaining a constant time AES implementation. You say it's trivial,
> while Professor Bernstein says it's nearly impossible.
No, I never said that. In fact, my paper says exactly the opposite:
``One can implement AES using these [constant-time] operations.''
Actually, what my paper says is ``One can implement AES using these
operations, of course.'' The knowledgeable reader is already aware that
every circuit can be implemented with those constant-time operations.
The problem is performance. Here's the complete sentence: ``One can
implement AES using these operations, of course, but the result is
painfully slow.'' Every fast AES implementation uses array lookups---and
making _those_ take constant time is difficult.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
- Next message: D. J. Bernstein: "Re: Don't use S-boxes!"
- Previous message: D. J. Bernstein: "Re: Don't use S-boxes!"
- In reply to: karl_m_at_acm.org: "Re: Don't use S-boxes!"
- Next in thread: karl malbrain: "Re: Don't use S-boxes!"
- Reply: karl malbrain: "Re: Don't use S-boxes!"
- Reply: karl_m_at_acm.org: "Re: Don't use S-boxes!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
