Re: Don't use S-boxes!
Date: 11/22/04

Date: 21 Nov 2004 19:18:55 -0800

John Savard wrote:
> On Fri, 12 Nov 2004 03:28:08 +0000 (UTC), "D. J. Bernstein"
> <> wrote, in part:
> >Tom St Denis wrote:
> >> A byte value that takes the longest means what?
> >
> >Often it tells you the corresponding key byte, because---for
> >the xor of those bytes, which is used as a round-1 S-box index,
> >an L1 cache miss. If you know how the cache works and where the
> >stores its variables, you can figure out which xor values will
> >this behavior; or you can see the values from a trivial test, as I
> I can see that S-boxes do have a potential of allowing side attacks,
> given what you say here, although in some applications the attacker
> doesn't have this opportunity, and only sees the enciphered messages.

Right. This is the threat model for the desktop platform. Timing
attacks are only relevant to embedded systems. I don't see why
Professor Bernstein leaps to his "anti-sbox" stance for desktops,
karl m

Relevant Pages

  • Re: Some empirical results of random S-boxes
    ... > The last time random or key dependent s-boxes were raised in this forum they ... > linear properties of these types of random constructions. ... They are thus "known s-box" attacks. ... It is thus the random construction ...
  • Re: Some empirical results of random S-boxes
    ... >> occurs only upon initialization or key change. ... "secret" nature of the s-box and so fall to attacks like saturation attacks ... The "for" camp would counter that properties of random'ish s-boxes are ...
  • Brain Tumor Symptoms?
    ... I've been getting episodes where I experience burning ... Subsequent attacks have been less 'inflammatory', ... The coughing seemed to 'trigger' minor episodes, ... Can anybody with a brain tumor indicate whether they've experienced ...
  • Re: Slightly OT, How do birds fly IMC?
    ... I was out sick that day, or something, so I don't know what the trigger was ... for your attacks on Dudley. ...