[Cryptography] Best AES candidate broken

Brian Gladman brg at gladman.plus.com
Sun Jul 5 17:45:00 EDT 2015

On 05/07/2015 18:47, Tony Arcieri wrote:
> On Sat, Jul 4, 2015 at 10:34 PM, Ryan Carboni <ryacko at gmail.com
> <mailto:ryacko at gmail.com>> wrote:
>     Except there's one problem with that assertion... Rijndael is easily
>     broken by.... cache timing, differential power, and many other
>     attacks. The knowledge that those attacks could be used certainly
>     was known during the AES competition. [relevant page from Serpent
>     submission attached, will show up in the Metzdowd archives]
> Cache timing and DPA can be applied to any implementation of any cipher,
> period.
> Serpent in particular uses S-boxes just like AES (or for that matter,
> Lucifer/DES), which makes it just as difficult to implement in software
> with secret independent timing (note: you brought up cache timing, so
> please don't deflect this argument by changing the subject to hardware)
> The real solution to cache timing attacks is to eliminate those
> secret-dependent table lookups entirely, as seen in e.g. Salsa20 / ChaCha20.

In my view the practical impact of cache timing attacks is less than
might be expected given the publicity that they have received.  Moving
such attacks from the laboratory to the real world is quite difficult
and even in situations where such attacks are feasible, simple measures
are generally available to prevent timing information being gained
without having to forego the speed of table driven implementations.

And, before someone mentions it, I am aware that such attacks have been
demonstrated outside the laboratory. But I am also aware of just how
many systems involving cryptographic components have been deployed
without any proper threat analysis and/or systems security reviews.

More information about the cryptography mailing list