Protecting against the cache-timing attack.
Jon Callas
jon at callas.org
Thu Jun 23 13:40:09 EDT 2005
One of the things to remember in all of this is that one of the reasons
we picked Rijndael as the AES was its speed. (And yes, I mean "we." I
was present at the conferences, and I filled out the little poll about
which ciphers I liked and why. That means I participated and bear part
of the responsibility, along with everyone else who was there.)
Rijndael is a fast little bugger. It is the fastest of all the
candidates. This means that if we're forced to slow it down a little,
then that isn't really so bad (assuming it can be done easily).
Bulk encryption on modern cpus is really, really fast. We're making
servers that do a lot of encryption at PGP Corporation. We also do a
lot of performance testing. One test that we did where we tested how
many messages 10K in size we could do in an hour, and then 100K in size
saw a performance drop of between 1 and 10%. Yes, between one percent
and ten percent!
Bulk encryption is not the bottleneck for a protocol like PGP. The
bottleneck is some combination of public key encryption and message
invariant data formatting.
So let's conduct a small thought experiment. Take the set of timings T,
where it is the timings of all possible AES keys on a given computer.
(It's going to be different depending on cpu, compiler, memory, etc.)
Order that set so that the shortest timing is t_0 and the longest one
is t_omega. Obviously, if you delay until t_omega, you have a
constant-time encryption.
I'm going to assert that if you delay only until t_omega-1 (by which I
mean the first timing smaller than t_omega. It is possible that there
is more than one key with the timing of t_omega. Actually, I think
there *must* be a set of them through some basic combinatorics.) then
the system is still secure enough -- that the attack is infeasible. By
that I mean that the timing attack doesn't work. Let's just presume
this is true.
So then there are two questions:
What is the largest t_n for which my assertion is still true? In other
words, what's the minimum delay time?
What is the smallest t_n for which it's still feasible to make the
timing attack?
"Feasible" is a squishy thing here, but we can get a handle on it. Take
the example Perry gave -- a wireless router that you can suitably
inject packets into. If I assume that it's using AES-256, and that the
key is changed once a decade, and that the attacker consumes 100% of
the bandwidth of router, then the attacker can only get P timings, and
P is going to be much smaller than 2^256. That means that there must be
some t_p that is a delay short enough that makes the attack impractical
for a set of statistical parameters (like that the chi-square of my key
guess is less than c).
Now if I'm completely wrong, and you *must* always delay to t_omega,
that's *also* an interesting answer -- actually more interesting
because it's counter-intuitive.
So -- is there a way to make some calculations about a small t_m, a
delay that's kinda skanky, but short, and t_n, a delay that we'd all
feel good about? Heck -- how do we even find out what t_omega is
without having to enumerate the set? Or even more practically, if I
just pick a t, how do I know that it's at least as big as t_omega?
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list