AES timing attacks, why not "whiten" the implementation?

Elisabeth Oswald Elisabeth.Oswald at iaik.at
Sat Jun 25 02:03:56 EDT 2005


Victor Duchovni wrote:

>>(b) Is there a better way to scramble the timing of an AES operation
>>without going to the last resort of padding everyting to worst-case timing?
> 
> 
> Perhaps something along the lines of:
> 
>     "Provably Secure Masking of AES": http://eprint.iacr.org/2004/101.pdf
> 
> Just found the paper, can't speak to its quality or applicability,
> but it appears to tackle this sort of problem, and if it fails to cover
> cache timing, that too is interesting...

The article was published last year on SAC and is a decent
description of how to mask the AES SubBytes operation.
It tailored to prevent power analysis and EM attacks.
I have written a paper about an equivalent but slightly
optimized masking scheme myself.

 From my point of view, if only the table lookup causes
the timing leakage in some AES implementations, the most
practical masking approach to get rid of this problem is
to just mask this table lookup.
This is the difference to masking to prevent power analysis
or EM attacks -- there really every step needs to be masked.

> There was recently some discussion of the the family of ciphers
> dual to AES, and the fact that some of the equivalent ciphers yield
> efficient hardware implementations. It is interesting to ask whether the
> existence of dual ciphers can be used in approaches to thwart cache timing
> attacks... This thought is not new, http://eprint.iacr.org/2002/157.ps
> at the bottom of page 12 says:

These things are theoretically interesting but practically
of limited value. Efficient AES hardware implementations, in
case that efficient means small, make use of composite field
arithmetic. The difference between the different ways to
define the composite fields leads then to a negligable difference
in practice.

Elisabeth



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list