Re: Tiny table AES implementation

karl malbrain wrote:
tomstde...@xxxxxxxxx wrote:
karl malbrain wrote:
I've posted a new tiny table (512 bytes encrypt, 1280 bytes decrypt)
AES implementation in C that is immune to the DJB timing attack:

The improved timing is 105 cycles/byte encryption, 147 decryption.

I applied the DJB attack against LTC. It works. I then enabled
LTC_SMALL_CODE and it doesn't work.

Are you sure it's not working?

Yesterday I posted a small table (1K bytes) version that shifts and
discovered that it was still leaking 3 or 4 bits per byte. E.g. the
output for one of the 1024 rows is:
26 46 36 16 27 17 06 d7 b6
which is a leakage of 3 bits per byte.

The 4th line leaks the most and I see

04 00256 loops: 4d c6 af d2 62 bc 88 23 77 c7

With the mod.

Not only does it not consistently get the correct mask but the various
bits seem to cycle enough.

Try this test. Modify the output to be the result of bestx() or rand()
for a given row totally at random. Then tell me if your implementation
is broken.

Just looking at 10 values won't really tell you much. You'd need a lot
more to filter out the S/N which is kinda the flaw in the attack to
begin with.



Relevant Pages