[17549] in cryptography@c2.net mail archive
Re: AES timing attacks, why not "whiten" the implementation?
daemon@ATHENA.MIT.EDU (David Alexander Molnar)
Thu Jun 23 20:00:34 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 23 Jun 2005 16:49:30 -0700 (PDT)
From: David Alexander Molnar <dmolnar@EECS.berkeley.EDU>
To: Beryllium Sphere LLC <1dxqk0p02@sneakemail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <3848-46375@sneakemail.com>
On Thu, 23 Jun 2005, Beryllium Sphere LLC wrote:
> Can you destroy the relationship between key contents and timing without hurting average run time?
>
> Each round of AES has sixteen table lookups. If you permute the order in which the implementation does the lookups, then you get a completely different pattern of cache hits and misses. If you permute the order of lookups in a key-independent fashion for every encryption operation then each key has 16! or almost 21 trillion possible timings.
>
> If I'm not making sense in English, schematic pseudocode would look like
>
> Let indirection_array=random permutation of (0..15)
1) How do you generate this in a way that does not leak information about
the permutation generated?
2) How many times can you re-use a single indirection array?
3) How quickly can you generate new indirection arrays?
-David Molnar
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
