AES timing attacks, why not "whiten" the implementation?

Victor Duchovni Victor.Duchovni at MorganStanley.com
Fri Jun 24 00:42:32 EDT 2005


On Fri, Jun 24, 2005 at 03:36:19AM -0000, Beryllium Sphere LLC wrote:

> (b) Is there a better way to scramble the timing of an AES operation
> without going to the last resort of padding everyting to worst-case timing?

Perhaps something along the lines of:

    "Provably Secure Masking of AES": http://eprint.iacr.org/2004/101.pdf

Just found the paper, can't speak to its quality or applicability,
but it appears to tackle this sort of problem, and if it fails to cover
cache timing, that too is interesting...

There was recently some discussion of the the family of ciphers
dual to AES, and the fact that some of the equivalent ciphers yield
efficient hardware implementations. It is interesting to ask whether the
existence of dual ciphers can be used in approaches to thwart cache timing
attacks... This thought is not new, http://eprint.iacr.org/2002/157.ps
at the bottom of page 12 says:

The existence of dual ciphers can also be used to protect implementation[s]
against fault-analysis and power-analysis, by selecting a different dual
cipher at random each time an encryption or decryption is desired.

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list