Re: Don't use S-boxes!
Date: 11/22/04

Date: 21 Nov 2004 19:18:55 -0800

John Savard wrote:
> On Fri, 12 Nov 2004 03:28:08 +0000 (UTC), "D. J. Bernstein"
> <> wrote, in part:
> >Tom St Denis wrote:
> >> A byte value that takes the longest means what?
> >
> >Often it tells you the corresponding key byte, because---for
> >the xor of those bytes, which is used as a round-1 S-box index,
> >an L1 cache miss. If you know how the cache works and where the
> >stores its variables, you can figure out which xor values will
> >this behavior; or you can see the values from a trivial test, as I
> I can see that S-boxes do have a potential of allowing side attacks,
> given what you say here, although in some applications the attacker
> doesn't have this opportunity, and only sees the enciphered messages.

Right. This is the threat model for the desktop platform. Timing
attacks are only relevant to embedded systems. I don't see why
Professor Bernstein leaps to his "anti-sbox" stance for desktops,
karl m