Re: Tiny table AES implementation
- From: tomstdenis@xxxxxxxxx
- Date: 20 Apr 2006 17:13:49 -0700
karl malbrain wrote:
tomstde...@xxxxxxxxx wrote:
karl malbrain wrote:
I've posted a new tiny table (512 bytes encrypt, 1280 bytes decrypt)
AES implementation in C that is immune to the DJB timing attack:
www.geocities.com/malbrain/aestable_c.html
The improved timing is 105 cycles/byte encryption, 147 decryption.
I applied the DJB attack against LTC. It works. I then enabled
LTC_SMALL_CODE and it doesn't work.
Are you sure it's not working?
Yesterday I posted a small table (1K bytes) version that shifts and
discovered that it was still leaking 3 or 4 bits per byte. E.g. the
output for one of the 1024 rows is:
26 46 36 16 27 17 06 d7 b6
which is a leakage of 3 bits per byte.
The 4th line leaks the most and I see
04 00256 loops: 4d c6 af d2 62 bc 88 23 77 c7
With the mod.
Not only does it not consistently get the correct mask but the various
bits seem to cycle enough.
Try this test. Modify the output to be the result of bestx() or rand()
for a given row totally at random. Then tell me if your implementation
is broken.
Just looking at 10 values won't really tell you much. You'd need a lot
more to filter out the S/N which is kinda the flaw in the attack to
begin with.
Tom
.
- Follow-Ups:
- Re: Tiny table AES implementation
- From: karl malbrain
- Re: Tiny table AES implementation
- References:
- Tiny table AES implementation
- From: karl malbrain
- Re: Tiny table AES implementation
- From: tomstdenis
- Re: Tiny table AES implementation
- From: karl malbrain
- Tiny table AES implementation
- Prev by Date: Re: PK Key exchange scheme involving 3 parties
- Next by Date: Re: PK Key exchange scheme involving 3 parties
- Previous by thread: Re: Tiny table AES implementation
- Next by thread: Re: Tiny table AES implementation
- Index(es):
Relevant Pages
|
