AES timing attacks, why not "whiten" the implementation?
David Alexander Molnar
dmolnar at EECS.berkeley.EDU
Thu Jun 23 19:49:30 EDT 2005
On Thu, 23 Jun 2005, Beryllium Sphere LLC wrote:
> Can you destroy the relationship between key contents and timing without hurting average run time?
>
> Each round of AES has sixteen table lookups. If you permute the order in which the implementation does the lookups, then you get a completely different pattern of cache hits and misses. If you permute the order of lookups in a key-independent fashion for every encryption operation then each key has 16! or almost 21 trillion possible timings.
>
> If I'm not making sense in English, schematic pseudocode would look like
>
> Let indirection_array=random permutation of (0..15)
1) How do you generate this in a way that does not leak information about
the permutation generated?
2) How many times can you re-use a single indirection array?
3) How quickly can you generate new indirection arrays?
-David Molnar
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list