[Cryptography] Best AES candidate broken

Tony Arcieri bascule at gmail.com
Mon Jul 6 18:30:00 EDT 2015

On Mon, Jul 6, 2015 at 10:26 AM, Jack Lloyd <lloyd at randombit.net> wrote:

> Serpent uses sboxes, but ones intentionally designed to be implemented
> using bitslicing rather than table lookups. I'm not aware of any
> non-toy Serpent implementation that actually does 4->4 bit lookups,
> rather than evaluating all 16 lookups in parallel using bitwise operations
> whose sequence does not depend on any secret data. Do you?

I'm not aware of any, and yes, Serpent does make bitslicing easier to
implement than AES. Of course any purely software implementations of AES
attempting to achieve secret independent timings are likely to be using
bitslicing techniques too.

That said, it's still entirely possible to produce naive implementations,
and if they don't exist for Serpent (hard to prove a negative), that's
likely because nobody cared enough to write a crappy version.

I would guess that spending not too much time Googling would turn one up,
but I have better things to do with my time.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150706/c8d6f27a/attachment.html>

More information about the cryptography mailing list