Re: Don't use S-boxes!

karl_m_at_acm.org
Date: 11/22/04


Date: 21 Nov 2004 19:18:55 -0800


John Savard wrote:
> On Fri, 12 Nov 2004 03:28:08 +0000 (UTC), "D. J. Bernstein"
> <djb@cr.yp.to> wrote, in part:
>
> >Tom St Denis wrote:
> >> A byte value that takes the longest means what?
> >
> >Often it tells you the corresponding key byte, because---for
example---
> >the xor of those bytes, which is used as a round-1 S-box index,
incurs
> >an L1 cache miss. If you know how the cache works and where the
program
> >stores its variables, you can figure out which xor values will
trigger
> >this behavior; or you can see the values from a trivial test, as I
did.
>
> I can see that S-boxes do have a potential of allowing side attacks,
> given what you say here, although in some applications the attacker
> doesn't have this opportunity, and only sees the enciphered messages.

Right. This is the threat model for the desktop platform. Timing
attacks are only relevant to embedded systems. I don't see why
Professor Bernstein leaps to his "anti-sbox" stance for desktops,
either.
 
karl m