AES cache timing attack
Steven M. Bellovin
smb at cs.columbia.edu
Thu Jun 16 09:18:53 EDT 2005
Dan Bernstein has a new cache timing attack on AES:
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
(This was mentioned in Bruce Schneier's CRYPTO-GRAM newsletter.)
Briefly, the attack relies on the fact that retrieving an S-box
entry from the cache is much faster than retrieving it from main
memory; this in turn leaks bits of keying material.
One of his claims is that the attack is possible because of the
characteristics of efficient software implementations of AES, and
that NIST should have realized the problem -- there are ciphers
that don't have this problem. He also makes some suggestions to
CPU designers about steps they can take to let implementors avoid
such traps.
For years, it was a commonplace that one should not design one's
own encryption algorithms. Some people have extended that advice
to apply to cryptographic protocols. Dan Boneh now says he's
warning people even against doing their own implementations.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list