[Cryptography] Best AES candidate brokenby the way that
dj at deadhat.com
Mon Jul 6 13:23:39 EDT 2015
On 7/5/15 1:19 PM, Krisztián Pintér wrote:
> to be fair, AES was intended to be implemented with lookup tables.
> granted, the original paper is a beautiful piece of math, but nobody
> ever envisioned those calculations to be ever implemented in any real
> life software. AES was created with the widespread implementation in
> let's see this table:
> nist p256 naive implementation nist p256 timing resistant impl
> AES literal implementation AES intended implementation
> both algorithms have a modern, safe but slow implementation and a fast
> but vulnerable one. the fact that AES comes with a safe implementaton,
> so you don't have to work it out, is nice and all, but bears very
> minor practical relevance.
It seems that what is optimal for software speed of ECC is not optimal
for side-channel mitigation in hardware ECC implementations. This is at
the core of 'which curve to use' arguments I've been in recently.
More information about the cryptography