[Cryptography] Best AES candidate brokenby the way that

Krisztián Pintér pinterkr at gmail.com
Sun Jul 5 16:19:25 EDT 2015

>> Except there's one problem with that assertion... Rijndael is easily
>> broken by.... cache timing,
> But it is important to distinguish between algorithm failures and
> implementation failures.

to be fair, AES was intended to be implemented with lookup tables.
granted, the original paper is a beautiful piece of math, but nobody
ever envisioned those calculations to be ever implemented in any real
life software. AES was created with the widespread implementation in

let's see this table:

 nist p256 naive implementation      nist p256 timing resistant impl

   AES literal implementation          AES intended implementation

both algorithms have a modern, safe but slow implementation and a fast
but vulnerable one. the fact that AES comes with a safe implementaton,
so you don't have to work it out, is nice and all, but bears very
minor practical relevance.

More information about the cryptography mailing list