[Cryptography] Stupid question on S-boxes
Jerry Leichter
leichter at lrw.com
Fri Jan 25 13:52:44 EST 2019
> S-boxes leak secret key info through cache timing attacks. IMO, they should be avoided.
Responding more directly to Henry's comment: Small S-boxes, if the code is properly arranged, can stay entirely in the cache - you can access every entry in the table up front to get them all in there, for example - so are less likely to leak information through cache timing attacks. Large S-boxes, on the other hand, are more likely to get partially loaded/knocked out of the cache, giving more purchase to cache timing attacks.
Then again, it's not just S-boxes and it's not just caches. TLBleed instead uses the TLB to grab EdDSA keys. I'd say the ability to safely do crypto on shared hardware is very much an open question at this point. Completely isolated co-processors - whether fixed-algorithm (now fairly common) or loadable (I don't know enough about the internals of Apple's T2 - it does crypto in such a co-processor, but whether the crypto algorithms it runs are hard-wired or in replaceable firmware I don't know) - may be the only way forward.
-- Jerry
More information about the cryptography
mailing list