[Cryptography] Stupid question on S-boxes

Jerry Leichter leichter at lrw.com
Fri Jan 25 20:13:42 EST 2019 

> 
>> I'd say the ability to safely do crypto on shared hardware is very much an
>> open question at this point.
> 
> Thus the restatement of Law #1 of the 10 Immutable Laws of Security, "If a bad
> guy can persuade you to run his program on your computer, it’s not your
> computer any more", which in its inverse form is the Immutable Law of Cloud
> Computing Security:
> 
> "If a bad guy can persuade you to run your program on his computer, it’s not
> your program any more".
There is an irony to this:  Allegedly when DES was first proposed, the NSA was skeptical of software implementations of cryptographic algorithms.  In fact, they influenced DES to make it harder to implement in software (the initial and final permutations).

Of course, without the ability to use this stuff in software, the public development of cryptography would have been completely stunted.  So the NSA clearly had other motives for pushing for hardware-only implementations.

We of course don't know exactly NSA does these days, though it is interesting that the FIPS standards for cryptography, for example, are clearly written with an eye to hardware implementations.

While the crypto hackers may not want to admit it, we appear at least for the reasonably foreseeable future to be at the end of the road for practical asymmetric cryptographic algorithm development:  Nothing is likely to supersede AES in widespread practical use.  We're probably converging on SHA2, with a gradual move to SHA3, for hash functions.  Which makes putting those directly into hardware sensible.  There's a lot of paranoia around trusting the hardware implementations, though if you do a careful analysis of realistic attack models, you're probably safer using the hardware implementations than relying on software - especially when you're using shared infrastructure (if, as you point out, security on shared infrastructure is a particularly meaningful concept anyway - though economics keeps pushing us toward it).

An interesting question I haven't seen specifically attacked:  Are there usable side-channel attacks against software random number generators?  (Particularly the algorithms actually in use in modern systems.)  These have seen many algorithmic attacks and defenses, but I don't recall anything like, say, a DPA attack against the stirring algorithms.

                                                        -- Jerry

More information about the cryptography mailing list