[Cryptography] Best AES candidate broken
Tony Arcieri
bascule at gmail.com
Sun Jul 5 13:47:04 EDT 2015
On Sat, Jul 4, 2015 at 10:34 PM, Ryan Carboni <ryacko at gmail.com> wrote:
> Except there's one problem with that assertion... Rijndael is easily
> broken by.... cache timing, differential power, and many other attacks. The
> knowledge that those attacks could be used certainly was known during the
> AES competition. [relevant page from Serpent submission attached, will show
> up in the Metzdowd archives]
>
Cache timing and DPA can be applied to any implementation of any cipher,
period.
Serpent in particular uses S-boxes just like AES (or for that matter,
Lucifer/DES), which makes it just as difficult to implement in software
with secret independent timing (note: you brought up cache timing, so
please don't deflect this argument by changing the subject to hardware)
The real solution to cache timing attacks is to eliminate those
secret-dependent table lookups entirely, as seen in e.g. Salsa20 / ChaCha20.
You might want to take off those rose colored glasses and start paying
attention to modern cryptography. Things have moved on quite a bit since
the 90s.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150705/2304b6ea/attachment.html>
More information about the cryptography
mailing list