[Cryptography] Best AES candidate broken

Tony Arcieri bascule at gmail.com
Sun Jul 5 13:47:04 EDT 2015

On Sat, Jul 4, 2015 at 10:34 PM, Ryan Carboni <ryacko at gmail.com> wrote:

> Except there's one problem with that assertion... Rijndael is easily
> broken by.... cache timing, differential power, and many other attacks. The
> knowledge that those attacks could be used certainly was known during the
> AES competition. [relevant page from Serpent submission attached, will show
> up in the Metzdowd archives]

Cache timing and DPA can be applied to any implementation of any cipher,

Serpent in particular uses S-boxes just like AES (or for that matter,
Lucifer/DES), which makes it just as difficult to implement in software
with secret independent timing (note: you brought up cache timing, so
please don't deflect this argument by changing the subject to hardware)

The real solution to cache timing attacks is to eliminate those
secret-dependent table lookups entirely, as seen in e.g. Salsa20 / ChaCha20.

You might want to take off those rose colored glasses and start paying
attention to modern cryptography. Things have moved on quite a bit since
the 90s.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150705/2304b6ea/attachment.html>

More information about the cryptography mailing list