Re: 16K pentium level one cache
From: Terje Mathisen (terje.mathisen_at_hda.hydro.com)
Date: 12/03/04
- Previous message: David Wagner: "Re: 16K pentium level one cache"
- In reply to: David Wagner: "Re: 16K pentium level one cache"
- Next in thread: David Wagner: "Re: 16K pentium level one cache"
- Reply: David Wagner: "Re: 16K pentium level one cache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 03 Dec 2004 23:20:53 +0100
David Wagner wrote:
> Terje Mathisen wrote:
>
>>A spin loop doing RDTSC would keep going until past a certain value,
>>reducing the maximum possible information left to be modulo the length
>>of said loop.
>
>
> That's different from a random delay, which is what you proposed
> previously. Slowing the cipher down to its worst-case execution time
> should work to defend against timing attacks. However, for AES, this
> is extremely expensive, as the worst-case execution time is much, much
> higher than the average-case.
>
> In other words, I remain skeptical that you can get security at a
> reasonable performance overhead.
OK.
Would you then accept my other premise which was that crypto running on
a Pentium-class cpu, with direct attacker access to the machine, would
be _much_ easier to break by simply running under a debugger like SoftIce?
For someone attacking this over the network, please suggest a scenario
where you could recover enough bits to break the key in less than, say
10 years?
Terje
-- - <Terje.Mathisen@hda.hydro.com> "almost all programming can be viewed as an exercise in caching"
- Previous message: David Wagner: "Re: 16K pentium level one cache"
- In reply to: David Wagner: "Re: 16K pentium level one cache"
- Next in thread: David Wagner: "Re: 16K pentium level one cache"
- Reply: David Wagner: "Re: 16K pentium level one cache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
