AES cache timing attack

Stephan Neuhaus neuhaus at st.cs.uni-sb.de
Mon Jun 20 07:40:20 EDT 2005 

Peter Gutmann wrote:
> Stephan Neuhaus <neuhaus at st.cs.uni-sb.de> writes:
> 
>>Concerning the practical use of AES, you may be right (even though it would
>>be nice to have some advice on what one *should* do instead). 
> 
> Definitely.  Maybe time for a BCP, not just for AES but for general block
> ciphers?

I think so.

>>I find it pretty alarming that in spite of all the review that AES
>>got, [resistance to timing attacks] was not met, and in an exploitable
>>fashion to boot.
> 
> Well, it depends on what your design assumptions were.  [...] In fact I'd say
> it's actually not possible to certify resistance
> to timing attacks across all possible CPUs, because it'll always be possible
> to find some oddball CPU for which an AES-critical instruction somewhere has
> some weird characteristic that helps in an attack.

True, but what we have here is not some oddball CPU, but the fact that a 
natural AES implementation on one of the most popular CPUs in existence 
today has this problem.  It's a problem because the algorithm (and by 
extension, any natural implementation of it) isn't supposed to be 
vulnerable to a timing attack.

> Lets say you want constant timing for at least the most common CPU family,
> x86.  [...]
> 
> So in the end you've got an algorithm design that happens to be resistant to
> timing attacks on the D0 stepping of a Northwood-core Intel P4.  Anything else
> and all bets are off.  This doesn't seem very useful to me.

I don't know.  That cache accesses are faster than memory accesses is 
not exactly new.

I agree totally that we shouldn't insist on constant-time 
implementations across all possible architectures.  This way madness 
lies.  But the fact that it is apparently difficult to produce a fast 
constant-time implementation on the P4 is definitely a warning sign, 
especially when resistance to timing attacks was an explicit design 
criterion.

How can we get fast constant-time implementations? (Or even just an 
implementation that is resistant to timing attacks, which isn't 
necessarily the same thing?)  I don't know.  But what you can't do is 
solicit a cipher that is supposed to be free of timing attacks and then, 
when one is found, say, "well, don't do that then" :-)

>>I think this says more about the standardization and review process than
>>about AES.
> 
> I think the standardisation process went about as well as can be expected,
> given Newtonian physics-level assumptions about how CPUs work.

Again, I don't know.  That cache accesses are faster than memory 
accesses is very much inside the limits of "Newtonian physics-level 
assumptions". If the standardizers had had a testable, implementable 
phrasing of their design requirements, this embarrassing mistake could 
have been avoided.  Granted, I don't see at the moment how you could 
phrase this so that the word "cache" does not already appear somewhere, 
but I feel that this should have been possible.  It's just good 
engineering practice.

IIRC, the timing resistance was accepted on a theoretical argument (that 
table accesses take constant time); nobody actually tried it out before 
accepting it.  If they had, they would have seen that the implementation 
was not constant-time.  I think this is bad and I still think that the 
fault lies with the standardization process.

Fun,

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: neuhaus.vcf
Type: text/x-vcard
Size: 394 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050620/caf19d20/attachment.vcf>

More information about the cryptography mailing list