[Cryptography] Stupid question on S-boxes

Jerry Leichter leichter at lrw.com
Fri Jan 25 18:20:52 EST 2019


> 
>> I'd say the ability to safely do crypto on shared hardware is very much an open question at this point.
> 
> I'd say the answer to this question is a NO.
> 
>> Completely isolated co-processors - [...]
>> - may be the only way forward.
> 
> What is the difference between a shared CPU and a shared (isolated) co-processor ?
You wouldn't share the co-processor:  At any one time, it should only be accessible to a single security context.  And you'd reset it to a constant state between security context switches.

The issue here is side-channel attacks.  If there are no channels between the crypto processing and code controlled by attackers, there is no attack against the crypto processing.  The problem, of course, is that "channels" is extremely open-ended.  But a co-processor with its own private memory does limit the possible attacks.  Of the ones that have already been discovered, we could look at differential timing attacks (which we've pretty much learned to handle) and differential power analysis, which can be dealt by careful hardware design if nothing else.

That's not so say someone won't find another "channel" to attack, but at least all the ones we already know about are either irrelevant, or can be made very difficult to exploit.
                                                        -- Jerry



More information about the cryptography mailing list