AES timing attacks, why not "whiten" the implementation?
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Fri Jun 24 00:42:32 EDT 2005
On Fri, Jun 24, 2005 at 03:36:19AM -0000, Beryllium Sphere LLC wrote:
> (b) Is there a better way to scramble the timing of an AES operation
> without going to the last resort of padding everyting to worst-case timing?
Perhaps something along the lines of:
"Provably Secure Masking of AES": http://eprint.iacr.org/2004/101.pdf
Just found the paper, can't speak to its quality or applicability,
but it appears to tackle this sort of problem, and if it fails to cover
cache timing, that too is interesting...
There was recently some discussion of the the family of ciphers
dual to AES, and the fact that some of the equivalent ciphers yield
efficient hardware implementations. It is interesting to ask whether the
existence of dual ciphers can be used in approaches to thwart cache timing
attacks... This thought is not new, http://eprint.iacr.org/2002/157.ps
at the bottom of page 12 says:
The existence of dual ciphers can also be used to protect implementation[s]
against fault-analysis and power-analysis, by selecting a different dual
cipher at random each time an encryption or decryption is desired.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list